From 8607b4822e4b6437d87dabf714882407f8959ef2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Sat, 30 Nov 2019 23:00:25 +0100 Subject: [PATCH] Update the translations for the 2.2.3 release --- po/bg.po | 977 +- po/ca.po | 977 +- po/cs.po | 46 +- po/de.po | 977 +- po/es.po | 987 +- po/eu.po | 977 +- po/fr.po | 977 +- po/hu.po | 977 +- po/id.po | 977 +- po/it.po | 977 +- po/nb.po | 977 +- po/nl.po | 977 +- po/pl.po | 987 +- po/pt.po | 977 +- po/pt_BR.po | 977 +- po/ru.po | 977 +- po/sssd.pot | 977 +- po/sv.po | 993 +- po/tg.po | 977 +- po/tr.po | 977 +- po/uk.po | 987 +- po/zh_CN.po | 977 +- po/zh_TW.po | 977 +- src/man/po/br.po | 15129 ++++++++++++------------ src/man/po/ca.po | 17712 ++++++++++++++-------------- src/man/po/cs.po | 15349 +++++++++++++------------ src/man/po/de.po | 18871 +++++++++++++++--------------- src/man/po/es.po | 18975 +++++++++++++++--------------- src/man/po/eu.po | 15103 ++++++++++++------------ src/man/po/fi.po | 15153 ++++++++++++------------ src/man/po/fr.po | 18771 +++++++++++++++--------------- src/man/po/ja.po | 17531 ++++++++++++++-------------- src/man/po/lv.po | 15195 ++++++++++++------------ src/man/po/nl.po | 15125 ++++++++++++------------ src/man/po/pt.po | 15741 ++++++++++++------------- src/man/po/pt_BR.po | 15103 ++++++++++++------------ src/man/po/ru.po | 15131 ++++++++++++------------ src/man/po/sssd-docs.pot | 15141 ++++++++++++------------ src/man/po/sv.po | 22089 ++++++++++++++++++----------------- src/man/po/tg.po | 15129 ++++++++++++------------ src/man/po/uk.po | 22801 +++++++++++++++++++------------------ src/man/po/zh_CN.po | 15129 ++++++++++++------------ 42 files changed, 174472 insertions(+), 166292 deletions(-) diff --git a/po/bg.po b/po/bg.po index 4181e8711e6..831ee28b8a3 100644 --- a/po/bg.po +++ b/po/bg.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:44+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Bulgarian (http://www.transifex.com/projects/p/sssd/language/" @@ -78,12 +78,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Изчакване за съобщения, изпратени през SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Regex за намиране на потребителско име и домейн" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Printf-съвместим формат за изобразяване на пълно-квалифицирани имена" @@ -299,1282 +299,1296 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Доставчик на самоличност" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Доставчик на удостоверяване" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Доставчик на контрол на достъп" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Доставчик на смяна на парола" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Минимално ID на потребител" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Максимално ID на потребител" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Кеширай идентификационни данни за офлайн влизане" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Показвай потребители/групи в пълно -валифицирана форма" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "Ограничава или предпочита определена фамилия адреси при DNS търсения" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Колко дни да се пазят кешираните записи след последното успешно влизане" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Колко време да чакам за отговори от DNS при търсене на сървъри (секунди)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Частта Домейн от DNS заявката за откриване на услуга" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "Интерфейсът, чийто IP да се ползва за динамични DNS обновявания" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA домейн" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Адрес на IPA сървър" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Име на хост на IPA клиент" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "Дали автоматично да се обновява клиентския DNS запис във FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "LDAP филтър за определяне права на достъп" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Адрес на Kerberos сървър" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Kerberos област" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Директория за съхранение на кеша за данни за удостоверяване" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Местоположение на кеша за данни за удостоверяване на потребители" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Местоположение на keytab за валидиране на данните за удостоверяване" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Разреши проверката на данните за удостоверяване" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "Записва паролата ако е офлайн за по-късно удостоверяване" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "Сървърът, на който работи услугата за смяна на парола ако не е на KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, URI на LDAP сървъра" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Базовият DN по подразбиране" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Използваният тип схема на LDAP сървъра, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Подразбиращият се bind DN" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Продължителност на опитите за свързване" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Продължителност на опитите за синхронни LDAP операции" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Продължителност на времето между опитите за връзка докато е офлайн" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Файл, съдържащ CA сертификати" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Път до директорията на CA сертификат" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Изисква TLS проверка на сертификат" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Задава за използване механизма sasl" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Задаване на sasl authorization id за употреба" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "keytab на Kerberos услуга" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Ползвай Kerberos auth за LDAP връзка" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Следвай LDAP референциите" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Продължителност на живот на TGT за LDAP връзка" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Продължителност на време за изчакване на заявка за търсене" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Продължителност на време между актуализации на изброяване" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Изисква TLS за ИД справките" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "атрибут Потребителско име" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "атрибут UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "атрибут Първичен GID" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "атрибут GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "атрибут Домашна директория" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "атрибут Команден интерпретатор" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "атрибут User principal (за Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Пълно име" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "атрибут членНа" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "атрибут Момент на промяна" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Политика за определяне срок на валидност на парола" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Списък разрешени потребители, разделени със запетая" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Списък забранени потребители, разделени със запетая" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Подразбиращ се команден интерпретатор, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Място за домашните директории" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Продължава като демон (по подразбиране)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Интерактивна работа (а не като демон)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Задаване на друг (не подразбиращия се) конфиг файл" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Ниво на debug" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1582,146 +1596,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD не е стартиран като root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Възникнала е грешка, но не може да се намери описание." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Неочаквана грешка при търсене на описание на грешка" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Съобщение от сървъра:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Паролите не съвпадат" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "Промяна на паролата от root не се поддържа." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Удостоверен с кеширани идентификационни данни" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", кешираната парола ще изтече на: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "Удостоверяването е забранено до: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Системата е офлайн, промяна на паролата не е възможна" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Промяната на паролата не успя." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Нова парола:" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Отново новата парола:" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Парола:" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Текуща парола:" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Паролата Ви е остаряла. Сменете я сега." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Нивото на debug записи при работа" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Грешка при задаване локални настр.\n" @@ -1737,27 +1751,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1809,21 +1823,21 @@ msgstr "Задайте потребител за добавяне\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Грешка при инициализирането на инструментите - няма локален домейн\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Грешка при инициализирането на инструментите\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "В FQDN е зададен невалиден домейн\n" @@ -1844,7 +1858,7 @@ msgstr "Групите трябва да са в същия домейн кат msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Не мога да задам стойностите по подразбиране\n" @@ -1923,7 +1937,7 @@ msgstr "Група %1$s е извън дефинирания ID обхват з #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1985,15 +1999,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2036,68 +2050,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "Потребител %1$s е извън дефинирания ID обхват за домейн\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2176,88 +2190,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2292,7 +2306,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2302,7 +2315,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2378,32 +2390,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2416,12 +2449,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2430,17 +2461,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2461,27 +2490,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2489,17 +2513,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2508,52 +2526,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2566,27 +2593,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2596,7 +2618,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2605,7 +2626,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2620,7 +2640,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2630,7 +2649,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2687,122 +2705,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/ca.po b/po/ca.po index 757a4ee0d2c..c0127b10979 100644 --- a/po/ca.po +++ b/po/ca.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2017-10-15 03:02+0000\n" "Last-Translator: Robert Antoni Buj Gelonch \n" "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/" @@ -87,12 +87,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "El temps d'expiració per als missatges enviats a través del SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "L'expressió regular per analitzar el nom d'usuari i el domini" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Format compatible amb printf per mostrar els FQN" @@ -340,321 +340,331 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "La llista dels UID o dels noms d'usuari que poden accedir al contestador del " "PAC" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "La llista dels UID o dels noms d'usuari que poden accedir al contestador de " "l'InfoPipe" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "La llista dels atributs de l'usuari que l'InfoPipe pot publicar" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Proveïdor d'identitat" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Proveïdor d'autenticació" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Proveïdor de control d'accés" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Proveïdor de canvi de contrasenya" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "Proveïdor de SUDO" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Proveïdor d'Autofs" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Proveïdor d'identitat d'amfitrions" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Id. mínim d'usuari" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Id. màxim d'usuari" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Habilita l'enumeració de tots els usuaris/grups" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Credencials en memòria cau per als inicis de sessions sense connexió" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Mostra els usuaris/grups en format plenament qualificat" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "No incloure als membres dels grups en la recerca del grup" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" "Període de temps per a l'expiració de les entrades de la memòria cau (en " "segons)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Restringeix o prefereix una família específica d'adreces quan es realitzi la " "recerca del DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Quant de temps s'han de mantenir les entrades en la memòria cau després de " "l'últim inici de sessió reeixit (en dies)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Temps d'expiració per a les respostes del DNS en la resolució dels servidors " "(en segons)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "La part del domini de la consulta DNS del descobriment del servei" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" "Substitueix el valor del GID del proveïdor d'identitat amb aquest valor" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Distingeix entre majúscules i minúscules als noms d'usuari" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Amb quina freqüència les entrades vençudes s'actualitzen al rerefons" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Si s'actualitza automàticament l'entrada DNS del client" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "El TTL per aplicar a l'entrada DNS del client després d'actualitzar-ho" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "La interfície amb la IP que s'hauria d'utilitzar per a les actualitzacions " "dinàmiques DNS" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Cada quant s'actualitzarà automàticament l'entrada DNS del client" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "Si el proveïdor ha d'actualitzar explícitament així el registre PTR" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Si la utilitat nsupdate per defecte ha d'utilitzar TCP" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Quin tipus d'autenticació s'ha d'utilitzar per realitzar l'actualització del " "DNS" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Control de l'enumeració dels amfitrions de confiança" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Amb quina freqüència s'ha de refrescar la llista dels subdominis" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "Llista de les opcions que han de ser inherents a un subdomini" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Domini IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Adreça del servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Adreça del servidor IPA de reserva " -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Nom d'amfitrió del client IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "Si s'actualitza automàticament l'entrada DNS del client a FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Base de cerca per als objectes relacionats amb HBAC" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" "Quantitat de temps entre recerques de les regles HBAC contra el servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" @@ -662,114 +672,114 @@ msgstr "" "Quantitat de temps en segons entre recerques de les assignacions SELinux " "contra el servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" "Si s'estableix a fals, s'ignorarà l'argument de l'amfitrió proporcionat amb " "PAM" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" "La ubicació de l'eina de muntatge automàtic que aquest client IPA està " "utilitzant" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" "Base de cerca per a l'objecte que conté la informació sobre el domini de " "l'IPA" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" "Base de cerca per als objectes que contenen informació sobre els intervals " "d'id." -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" "Habilita els llocs DNS - el descobriment del servei es basa en la ubicació" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "Base de cerca per als contenidors de la vista" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "Objectclass per als contenidors de la vista" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "L'atribut amb el nom de la vista" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "Objectclass per substituir els objectes" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "L'atribut amb la referència a l'objecte original" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "Objectclass per als objectes de substitució d'usuari" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "Objectclass per als objectes de substitució de grup" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Domini Active Directory" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Adreça del servidor de l'Active Directory" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Adreça del servidor de l'Active Directory de reserva" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Nom d'amfitrió del client d'Active Directory" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Filtre LDAP per determinar els privilegis d'accés" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Si s'utilitza el catàleg global per a les recerques" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Mode d'operació per al control d'accés basat en GPO" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" @@ -777,7 +787,7 @@ msgstr "" "Quantitat de temps entre recerques de fitxers de polítiques GPO contra el " "servidor d'AD" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" @@ -785,7 +795,7 @@ msgstr "" "Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " "(Deny)InteractiveLogonRight del GPO" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" @@ -793,269 +803,269 @@ msgstr "" "Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " "(Deny)RemoteInteractiveLogonRight del GPO" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" "Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " "(Deny)NetworkLogonRight del GPO" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" "Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " "(Deny)BatchLogonRight del GPO" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" "Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " "(Deny)ServiceLogonRight del GPO" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" "Noms dels serveis del PAM als quals sempre se'ls garanteix l'accés basat en " "GPO" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" "Noms dels serveis del PAM als quals sempre se'ls denega l'accés basat en GPO" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" "Dret (permet o denega) predeterminat de l'inici de sessió a utilitzar per " "als noms dels serveis del PAM sense assignar" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "un lloc determinat per utilitzar amb el client" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Adreça del servidor Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Adreça del servidor Kerberos de reserva" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Reialme Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Temps d'expiració de l'autenticació" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Si es creen els fitxers kdcinfo" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "Si es rebutgen les parts de la configuració del krb5" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Directori per emmagatzemar la memòria cau de les credencials" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Ubicació de la memòria cau de les credencials de l'usuari" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Ubicació de la clau per validar les credencials" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Habilita la validació de credencials" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" "Emmagatzema la contrasenya si s'està desconnectat per a l'autenticació " "posterior amb connexió" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Temps de vida renovable del TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Temps de vida del TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Temps entre les dues comprovacions per a la renovació" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Habilita FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Selecciona el principal per utilitzar amb FAST" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Habilita la canonització del principal" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Habilita els principals empresarials" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Servidor on es troba el servei de canvi de contrasenya si no està al KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, L'URI del servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, L'URI del servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "El DN base per defecte" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "El tipus d'esquema en ús al servidor LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "El DN de creació del vincle per defecte" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" "El tipus del testimoni d'autenticació del DN de creació del vincle per " "defecte" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "El testimoni d'autenticació del DN de creació del vincle per defecte" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Període de temps per intentar una connexió" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Període de temps per intentar operacions LDAP asíncrones" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" "Període de temps entre els intents per tornar a connectar mentre s'està " "desconnectat" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Utilitza només majúscules pels noms de reialme" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Fitxer que conté els certificats de l'AC" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Camí al directori del certificat de l'AC" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Fitxer que conté el certificat de client" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Fitxer que conté la clau de client" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Llista de paquets de xifrat possibles" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Requereix verificació de certificat TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Especifica el mecanisme SASL a utilitzar" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Especifica l'id. d'autorització SASL a utilitzar" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Especifica el reialme d'autorització SASL a utilitzar" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Especifica el SSF mínim per a l'autorització SASL de LDAP" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Taula de claus del servei del Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Utilitza l'autenticació Kerberos per a la connexió LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Segueix les referències LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Temps de vida del TGT per la connexió LDAP" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Com desreferenciar els àlies" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Nom del servei per a la recerca del servei del DNS" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "El nombre de registres a recuperar en una sola consulta LDAP" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "El nombre de membres que han de faltar per activar una de-referència completa" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1063,384 +1073,384 @@ msgstr "" "Si la biblioteca LDAP hauria de realitzar una recerca inversa per canonitzar " "el nom d'amfitrió durant la creació del vincle SASL" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "L'atribut entryUSN" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "L'atribut lastUSN" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" "Quant de temps s'ha de retenir una connexió al servidor LDAP abans de " "desconnectar" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Inhabilita el control de paginació LDAP" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Inhabilita la recuperació de l'interval de l'Active Directory" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Període de temps per esperar una petició de cerca" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Període de temps per esperar una petició d'enumeració" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Període de temps entre les actualitzacions de les enumeracions" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Període de temps entre les neteges de la memòria cau" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Requereix TLS per a la recerca d'id." -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" "Utilitza l'assignació dels id. de l'objectSID en lloc dels id. pre-establerts" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "DN base per a la recerca de l'usuari" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Abast de la recerca de l'usuari" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filtre per a la recerca de l'usuari" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass per als usuaris" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "L'atribut nom d'usuari" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "L'atribut UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "L'atribut GID primari" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "L'atribut GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "L'atribut directori inicial" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "L'atribut shell" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "L'atribut UUID" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "L'atribut objectSID" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "L'atribut grup primari de l'Active Directory per a l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "L'atribut usuari principal (per a Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Nom complet" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "L'atribut memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "L'atribut data de modificació" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "L'atribut shadowLastChange" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "L'atribut shadowMin" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "L'atribut shadowMax" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "L'atribut shadowWarning" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "L'atribut shadowInactive" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "L'atribut shadowExpire" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "L'atribut shadowFlag" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "L'atribut que llista els serveis PAM autoritzats" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "L'atribut que llista els amfitrions dels servidors autoritzats" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "L'atribut krbLastPwdChange" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "L'atribut krbPasswordExpiration" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" "L'atribut que indica l'activació de les polítiques de contrasenya de servidor" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "L'atribut accountExpires de l'AD" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "L'atribut userAccountControl de l'AD" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "L'atribut nsAccountLock" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "L'atribut loginDisabled del NDS" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "L'atribut loginExpirationTime del NDS" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "L'atribut loginAllowedTimeMap del NDS" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "L'atribut clau pública SSH" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "atribut que llista els tipus permesos d'autenticació per a un usuari" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "atribut que conté el certificat X509 de l'usuari" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" "Una llista dels atributs extres per baixar juntament amb l'entrada de " "l'usuari" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "DN base per a la recerca del grup" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "L'objectclass per als grups" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Nom del grup" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Contrasenya del grup" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "L'atribut GID" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "L'atribut membre del grup" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "L'atribut UUID del grup" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "L'atribut data de modificació per als grups" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Tipus del grup i altres senyals" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "DN base per a la recerca del grup de xarxa" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "L'objectclass per als grups de xarxa" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Nom de grup de xarxa" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "L'atribut membres del grup de xarxa" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "L'atribut triple del grup de xarxa" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "L'atribut data de modificació per als grups de xarxa" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "DN base per a la recerca del servei" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Objectclass per als serveis" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "L'atribut nom del servei" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "L'atribut port del servei" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "L'atribut protocol del servei" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Límit inferior per a l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Límit superior per a l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "Nombres d'id. per cada porció en l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "Utilitza l'algoritme compatible d'autorid per a l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Nom del domini per defecte per a l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID del domini per defecte per a l'assignació d'id." -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Si s'utilitzen els grups amb testimonis" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Estableix el límit inferior per als id. permesos del servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "Estableix el límit superior per als id. permesos del servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "DN per a les consultes ppolicy" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Política per avaluar el venciment de la contrasenya" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" "Quins atributs s'haurien d'utilitzar per avaluar si el compte ha vençut" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "Quines regles s'haurien d'utilitzar per avaluar el control d'accés" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "URI d'un servidor LDAP on es permeten els canvis de contrasenya" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" "URI d'un servidor LDAP de reserva on es permeten els canvis de contrasenya" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "Nom del servei DNS pel servidor LDAP de canvi de contrasenyes" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1448,23 +1458,23 @@ msgstr "" "Si s'actualitza l'atribut ldap_user_shadow_last_change després d'un canvi de " "contrasenya" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "DN base per a la recerca de les regles sudo" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Període d'actualització automàtica completa" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Període d'actualització automàtica intel·ligent" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "Si es filtren les regles per nom d'amfitrió, adreça IP i xarxa" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1472,227 +1482,231 @@ msgstr "" "Noms d'amfitrió i/o noms de domini plenament qualificat d'aquesta màquina " "per filtrar les regles de sudo" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "Adreces IPv4 o IPv6 o xarxa d'aquesta màquina per filtrar regles de sudo" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Si s'inclouen les regles que contenen el grup de xarxa a l'atribut de " "l'amfitrió" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Si s'inclouen les regles que contenen expressions regulars a l'atribut de " "l'amfitrió" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Objectclass de les regles sudo" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Nom de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Attribut command de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "L'atribut host de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "L'atribut user de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "L'atribut option de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "L'atribut runas de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "L'atribut runasuser de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "L'atribut runasgroup de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "L'atribut notbefore de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "L'atribut notafter de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "L'atribut order de la regla sudo" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Objectclass per a les assignacions de l'eina de muntatge automàtic" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "L'atribut nom de l'assignació de l'eina de muntatge automàtic" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" "Objectclass per a les entrades de les assignacions de l'eina de muntatge " "automàtic" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" "L'atribut clau d'entrada de l'assignació de l'eina de muntatge automàtic" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" "L'atribut valor de l'entrada de l'assignació l'eina de muntatge automàtic" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" "DN base per a la recerca de l'assignació de l'eina de muntatge automàtic" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Llista separada per comes dels usuaris autoritzats" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Llista separada per comes dels usuaris no autoritzats" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "El shell predeterminat, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Base per als directoris inicials" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "El nom de la biblioteca NSS a utilitzar" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" "Si se cerca el nom del grup canònic des de la memòria cau, si és possible" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Pila PAM a utilitzar" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Esdevé un dimoni (per defecte)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Executa en mode interactiu (no com a dimoni)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Especifica un fitxer de configuració diferent del predeterminat" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Imprimeix el número de versió i surt" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Nivell de depuració" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Afegeix les marques temporals de depuració" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Mostra les marques temporals amb microsegons" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Un descriptor de fitxer obert pels registres de depuració" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "Envia directament la sortida de depuració al stderr." -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "L'usuari amb què es crea la ccache FAST" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "El grup amb què es crea la ccache FAST" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1700,84 +1714,84 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Domini del proveïdor d'informació (obligatori)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "El sòcol amb privilegis té malament els permisos o el propietari." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "El sòcol públic té malament els permisos o el propietari." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Format inesperat del missatge de les credencials del servidor." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "L'SSSD no s'està executant com a root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "S'ha produït un error però no s'ha pogut trobar cap descripció." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Error inesperat en cercar una descripció de l'error" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "Permís denegat." -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Missatge del servidor: " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Les contrasenyes no coincideixen" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "No s'admet el restabliment de la contrasenya pel root." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "S'ha autenticat amb credencials de la memòria cau" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", la vostra contrasenya en memòria cau vencerà el: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" "La vostra contrasenya ha vençut. Teniu %1$d inicis de sessió restants de " "cortesia." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "La vostra contrasenya vencerà en %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "S'ha denegat l'autenticació fins: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "El sistema està desconnectat, el canvi de contrasenya no és possible" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1785,65 +1799,65 @@ msgstr "" "Després de canviar la contrasenya OTP, heu de tancar la sessió i tornar-la a " "iniciar per tal d'adquirir un tiquet" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Ha fallat el canvi de contrasenya." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nova contrasenya: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Torneu a introduir la nova contrasenya: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "Primer factor:" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "Segon factor:" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Contrasenya: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Contrasenya actual: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "La contrasenya ha vençut. Canvieu ara la vostra contrasenya." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "El nivell de depuració amb què s'executa" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "El domini SSSD a utilitzar" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "S'ha produït un error en establir la configuració regional\n" @@ -1859,27 +1873,27 @@ msgstr "No s'ha especificat l'usuari\n" msgid "Error looking up public keys\n" msgstr "S'ha produït un error en cercar les claus públiques\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "El port a utilitzar per connectar-se a l'amfitrió" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Port no vàlid\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "No s'ha especificat l'amfitrió\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "El camí a l'ordre proxy ha de ser absolut\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1931,7 +1945,7 @@ msgstr "Especifica l'usuari a afegir\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" @@ -1939,14 +1953,14 @@ msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "S'ha produït un error en inicialitzar les eines\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "S'ha especificat un domini no vàlid al FQDN\n" @@ -1967,7 +1981,7 @@ msgstr "Els grups han d'estar al mateix domini que l'usuari\n" msgid "Cannot find group %1$s in local domain\n" msgstr "No es pot trobar el grup %1$s al domini local\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "No es poden establir els valors per defecte\n" @@ -2047,7 +2061,7 @@ msgstr "El grup %1$s està fora de l'interval d'id. definit pel domini\n" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2122,15 +2136,15 @@ msgid "Transaction error. Could not modify group.\n" msgstr "" "S'ha produït un error en la transacció. No s'ha pogut modificar el grup.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Privat màgic " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGrup: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Privat màgic " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2179,75 +2193,75 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "S'ha produït un error intern. No es pot imprimir el grup.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Elimina el directori inicial i la gestió de cues del correu" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "No eliminis el directori inicial i la gestió de cues del correu" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Força l'eliminació de fitxers que no són propietat de l'usuari" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Mata els processos de l'usuari abans d'eliminar-lo" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Especifica l'usuari a eliminar\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "L'usuari %1$s està fora de l'interval d'id. pel domini\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "No es pot reiniciar el context d'inici de sessió de SELinux\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "ATENCIÓ: L'usuari (uid %1$lu) encara estava en la sessió quan es va " "eliminar.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" "No es pot determinar si l'usuari tenia la sessió iniciada a aquesta " "plataforma" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" "S'ha produït un error en comprovar si l'usuari havia iniciat la sessió\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "L'ordre post-delete ha fallat: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "No s'ha eliminat el directori inicial - no és propietat de l'usuari\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "No es pot eliminar el directori inicial: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "No s'ha trobat l'usuari al domini local. L'eliminació d'usuaris dels grups " "només està permesa al domini local.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "S'ha produït un error intern. No s'ha pogut eliminar l'usuari.\n" @@ -2334,81 +2348,81 @@ msgstr "No s'ha pogut invalidar %1$s\n" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "No s'ha pogut invalidar %1$s %2$s\n" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Invalida un usuari determinat" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Invalida tots els usuaris" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Invalida un grup determinat" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Invalida tots els grups" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Invalida un grup de xarxa determinat" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Invalida tots els grups de xarxa" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Invalida un servei determinat" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Invalida tots els serveis" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Invalida una assignació autofs determinada" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Invalida totes les assignacions autofs" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "Invalida un amfitrió SSH determinat" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "Invalida tots els amfitrions SSH" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Invalida les entrades només d'un domini determinat" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Si us plau, seleccioneu almenys un objecte a invalidar\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2417,7 +2431,7 @@ msgstr "" "No es pot obrir el domini %1$s. Si el domini és un subdomini (domini de " "confiança), utilitzeu el FQN en lloc del paràmetre --domain/-d.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "No s'han pogut obrir els dominis disponibles\n" @@ -2452,7 +2466,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2462,7 +2475,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2538,32 +2550,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2576,12 +2609,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2590,17 +2621,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2621,27 +2650,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2649,17 +2673,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2668,52 +2686,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2726,27 +2753,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2756,7 +2778,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2765,7 +2786,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2780,7 +2800,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2790,7 +2809,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2847,122 +2865,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/cs.po b/po/cs.po index 1bf41535dd6..218312af04e 100644 --- a/po/cs.po +++ b/po/cs.po @@ -5,7 +5,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-08-15 02:07+0200\n" +"POT-Creation-Date: 2019-09-12 02:51+0200\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -1665,7 +1665,7 @@ msgstr "Požaduje kanonizaci názvu principalu" msgid "Use custom version of krb5_get_init_creds_password" msgstr "Použít uživatelsky určenou verzi krb5_get_init_creds_password" -#: src/providers/data_provider_be.c:674 +#: src/providers/data_provider_be.c:711 msgid "Domain of the information provider (mandatory)" msgstr "Doména poskytovatele informace (povinné)" @@ -1705,91 +1705,91 @@ msgstr "Neočekávaná chyba při hledání popisu chyby" msgid "Permission denied. " msgstr "Přístup odepřen." -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:777 -#: src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 +#: src/sss_client/pam_sss.c:789 msgid "Server message: " msgstr "Zpráva ze serveru:" # auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa -#: src/sss_client/pam_sss.c:295 +#: src/sss_client/pam_sss.c:296 msgid "Passwords do not match" msgstr "Zadání hesla se neshodují" -#: src/sss_client/pam_sss.c:483 +#: src/sss_client/pam_sss.c:484 msgid "Password reset by root is not supported." msgstr "Reset hesla správcem není podporován." -#: src/sss_client/pam_sss.c:524 +#: src/sss_client/pam_sss.c:525 msgid "Authenticated with cached credentials" msgstr "Přihlášeni přihlašovacími údaji z mezipaměti" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid ", your cached password will expire at: " msgstr ", platnost mezipaměti skončí v:" -#: src/sss_client/pam_sss.c:555 +#: src/sss_client/pam_sss.c:556 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "Platnost vašeho hesla skončila. Zbývá vám %1$d přihlášení." -#: src/sss_client/pam_sss.c:601 +#: src/sss_client/pam_sss.c:602 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Platnost vašeho hesla skončí v %1$d %2$s." -#: src/sss_client/pam_sss.c:650 +#: src/sss_client/pam_sss.c:651 msgid "Authentication is denied until: " msgstr "Ověření odepřeno do:" -#: src/sss_client/pam_sss.c:671 +#: src/sss_client/pam_sss.c:672 msgid "System is offline, password change not possible" msgstr "Systém není dostupný, změna hesla není možná" -#: src/sss_client/pam_sss.c:686 +#: src/sss_client/pam_sss.c:687 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" "Po změně OTP hesla, je třeba se odhlásit/přihlásit aby byl získán lístek" -#: src/sss_client/pam_sss.c:774 src/sss_client/pam_sss.c:787 +#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 msgid "Password change failed. " msgstr "Změna hesla se nezdařila." -#: src/sss_client/pam_sss.c:1977 +#: src/sss_client/pam_sss.c:1989 msgid "New Password: " msgstr "Nové heslo:" -#: src/sss_client/pam_sss.c:1978 +#: src/sss_client/pam_sss.c:1990 msgid "Reenter new Password: " msgstr "Zopakování nového hesla:" -#: src/sss_client/pam_sss.c:2139 src/sss_client/pam_sss.c:2142 +#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 msgid "First Factor: " msgstr "Hlavní faktor:" -#: src/sss_client/pam_sss.c:2140 src/sss_client/pam_sss.c:2303 +#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 msgid "Second Factor (optional): " msgstr "Druhý faktor (volitelné):" -#: src/sss_client/pam_sss.c:2143 src/sss_client/pam_sss.c:2306 +#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 msgid "Second Factor: " msgstr "Druhý faktor:" # auto translated by TM merge from project: anaconda, version: f25, DocId: main -#: src/sss_client/pam_sss.c:2158 +#: src/sss_client/pam_sss.c:2171 msgid "Password: " msgstr "Heslo: " -#: src/sss_client/pam_sss.c:2302 src/sss_client/pam_sss.c:2305 +#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 msgid "First Factor (Current Password): " msgstr "Hlavní faktor (stávající heslo):" -#: src/sss_client/pam_sss.c:2309 +#: src/sss_client/pam_sss.c:2330 msgid "Current Password: " msgstr "Stávající heslo:" -#: src/sss_client/pam_sss.c:2664 +#: src/sss_client/pam_sss.c:2685 msgid "Password expired. Change your password now." msgstr "Platnost hesla skončila. Změňte si ho." diff --git a/po/de.po b/po/de.po index 5d737c57ca8..644ede9bff3 100644 --- a/po/de.po +++ b/po/de.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:45+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/" @@ -82,12 +82,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Zeitüberschreitung für Meldungen, die über SBUS gesendet werden" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Regulärer Ausdruck zum Verarbeiten von Benutzername und Domain" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" "Printf-kompatibles Format für die Darstellung voll ausgeschriebener Namen" @@ -330,324 +330,334 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "Liste von Benutzer-IDs oder Benutzernamen für den Zugriff auf den PAC-" "Responder" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "Liste von Benutzer-IDs oder Benutzernamen für den Zugriff auf den InfoPipe-" "Responder" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "Liste der Benutzerattribute, die InfoPipe veröffentlichen darf" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Identitäts-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Authentifizierungs-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Zugriffskontroll-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Passwortänderungs-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "SUDO-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Autofs-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Rechner-Identitäts-Anbieter" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Minimale Benutzer‐ID" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Maximale Benutzer‐ID" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Auflistung aller Benutzer/Gruppen aktivieren" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Zwischengespeicherte Anmeldedaten für Offline-Anmeldung" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Benutzer/Gruppen in voll ausgeschriebener Form anzeigen" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "Gruppenmitglieder in Gruppen-Suchanfragen nicht einschließen" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Zeitspanne für den Eintrags-Zwischenspeicher (Sekunden)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Eine spezifische Adressfamilie beim Ausführen von DNS-Suchanfragen " "beschränken oder bevorzugen" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Gibt die Anzahl der Tage an, wie lange zwischengespeicherte Einträge nach " "der letzten Anmeldung aufbewahrt werden" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Gibt die Anzahl Sekunden an, wie lange beim Auflösen von Servernamen auf " "Antworten vom DNS-Dienst gewartet werden soll" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Der Domain-Teil der DNS-Abfrage zur Dienstsuche" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" "Den Gruppen-ID-Wert des Identitäts-Anbieters mit diesem Wert überschreiben" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Groß-/Kleinschreibung in Benutzernamen berücksichtigen" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Anzahl der Auffrischung abgelaufener Einträge im Hintergrund" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Automatische Aktualisierung des DNS-Eintrags des Clients" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" "Die auf den DNS-Eintrag des Clients anzuwendende TTL, nachdem dieser " "aktualisiert wurde" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "Schnittstelle, deren IP für dynamische DNS-Aktualisierungen verwendet werden " "soll" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Gibt an, wie oft der DNS-Eintrag des Clients aktualisiert werden soll" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" "Gibt an, ob der Anbieter den PTR-Datensatz ebenfalls explizit aktualisieren " "soll" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Gibt an, ob das nsupdate-Dienstprogramm per Vorgabe TCP verwenden soll" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Gibt an, welche Art der Authentifizierung bei der DNS-Aktualisierung " "verwendet werden soll" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Aufzählung vertrauenswürdiger Domains steuern" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Anzahl der Auffrischung der Subdomain-Liste" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA-Domain" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA-Serveradresse" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Adresse des Ersatz-IPA-Servers" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "IPA-Client-Rechnername" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" "Gibt an, ob der DNS-Eintrag des Clients in FreeIPA automatisch aktualisiert " "werden soll" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Suchbasis für HBAC-bezogene Objekte" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "Die Zeitspanne zwischen Suchanfragen der HBAC-Regeln an den IPA-Server" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" @@ -655,373 +665,373 @@ msgstr "" "Die Zeitspanne in Sekunden zwischen Suchanfragen der SELinux-Zuweisung an " "den IPA-Server" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" "Falls auf »false« gesetzt, wird das von PAM angegebene Host-Argument " "ignoriert" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "Der Automounter-Ort, den dieser IPA-Client verwendet" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" "Suchbasis für Objekte, die Informationen über eine IPA-Domain enthalten" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "Suchbasis für Objekte, die Informationen über ID-Bereiche enthalten" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "DNS-Sites aktivieren – standortbasierte Dienstsuche" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Active-Directory-Domain" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Adresse des Active-Directory-Servers" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Adresse des Ersatz-Active-Directory-Servers" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Hostname des Active-Directory-Clients" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "LDAP-Filter zum Bestimmen der Zugriffsprivilegien" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Verwendung des globalen Katalogs für Suchvorgänge" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Operationsmodus für GPO-basierte Zuhgriffskontrolle" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Kerberos-Serveradresse" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Adresse des Ersatz-Kerberos-Servers" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Kerberos-Realm" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Zeitüberschreitung bei Authentifizierung" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Gibt an, ob kdcinfo-Dateien angelegt werden" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Verzeichnis zum Speichern der Anmeldedaten" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Ort des Zwischenspeichers für die Anmeldedaten des Benutzers" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Ort der Schlüsseltabelle zum Überprüfen von Anmeldedaten" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Validierung der Anmeldedaten aktivieren" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "Passwort im Offline-Modus für spätere Online-Anmeldung speichern" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Erneuerung der Lebensdauer des TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Lebensdauer des TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Zeitspanne zwischen zwei Prüfungen, ob Erneuerung nötig ist" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Aktiviert FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Wählt den für FAST zu verwendenden Principal aus" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Aktiviert Kanonisierung des Principals" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Enterprise-Principals aktivieren" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Server, auf dem der Dienst zum Ändern des Passworts läuft, falls nicht KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, die URI des LDAP-Servers" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, die URI des LDAP-Servers" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Vorgegebene Basis-DN" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Der vom LDAP-Server verwendete Schema-Typ gemäß RFC2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Vorgegebene Bind-DN" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Typ des Authentifizierungs-Tokens der vorgegebenen Bind-DN" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Authentifizierungs-Token für die vorgegebene Bind-DN" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Zeitspanne für einen Verbindungsversuch" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Zeitspanne für Versuche zur Ausführung synchroner LDAP-Vorgänge" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" "Zeitspanne zwischen Versuchen zum erneuten Verbindungsaufbau im Offline-Modus" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Nur Großschreibung für Realm-Namen verwenden" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Datei, die CA-Zertifikate enthält" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Pfad zum CA-Zertifikatverzeichnis" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Datei, die das Client-Zertifikat enthält" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Datei, die den Client-Schlüssel enthält" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Liste der möglichen Verschlüsselungs-Suites" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "TLS-Zertifikatüberprüfung erforderlich machen" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Zu verwendenden sasl-Mechanismus angeben" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Zu verwendende ID für sasl-Authentifizierung angeben" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Zu verwendenden Realm für sasl-Authentifizierung angeben" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Gibt den minimalen SSF für die SASL-Authentifizierung über LDAP an" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Schlüsseltabelle des Kerberos-Dienstes" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Kerberos-Authentifizierung für LDAP-Verbindung verwenden" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "LDAP-Verweisen folgen" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Lebensdauer von TGT für LDAP-Verbindung" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Dereferenzierung von Aliasen" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Dienstname für DNS-Service-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "Anzahl der in einer einzelnen LDAP-Abfrage zu holenden Datensätze" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "Anzahl der Elemente, die fehlen müssen, um eine vollständige " "Dereferenzierung auszulösen" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1029,383 +1039,383 @@ msgstr "" "Gibt an, ob die LDAP-Bibliothek eine Rückwärtssuche ausführen soll, um den " "Rechnernamen während einer SASL-Bindung zu kanonisieren" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "entryUSN-Attribut" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "lastUSN-Attribut" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" "Zeitspanne zum Halten einer Verbindung zum LDAP-Server, bis diese " "unterbrochen wird" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "LDAP-Paging-Steuerung deaktivieren" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Bereichsermittlung für Active Directory deaktivieren" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Zeitspanne zum Warten auf eine Suchanfrage" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Zeitspanne zum Warten auf eine Auflistungsanfrage" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Zeitspanne zwischen Auflistungsanfragen" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Zeitspanne zwischen den Leerungen des Zwischenspeichers" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "TLS für ID-Suchvorgänge erforderlich machen" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "ID-Zuweisung von objectSID anstelle von voreingestellten IDs verwenden" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Basis-DN für Benutzer-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Bereich für Benutzer-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filter für Benutzer-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objektklasse für Benutzer" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Benutzername-Attribut" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "UID-Attribut" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Primäres GID-Attribut" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "GECOS-Attribut" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Home-Verzeichnis-Attribut" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Shell-Attribut" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "objectSID -Attribut" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "Active-Directory-Primärgruppen-Attribut für ID-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Principal-Attribut verwenden (für Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Vollständiger Name" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "memberOf-Attribut" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Änderungszeit-Attribut" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "shadowLastChange-attribut" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "shadowMin-Attribut" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "shadowMax Attribut" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "shadowWarning-Attribut" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "shadowInactive-Attribut" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "shadowExpire-Attribut" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "shadowFlag-Attribut" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "Attribut, welches die autorisierten PAM-Dienste auflistet" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Attribut, welches die autorisierten Server-Hosts auflistet" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "krbLastPwdChange-Attribut" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "krbPasswordExpiration-Attribut" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" "Attribut, welches angibt, dass die serverseitigen Passwortregeln aktiv sind" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "accountExpires-Attribut von AD" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "userAccountControl-Attribut von AD" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "nsAccountLock-Attribut" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "loginDisabled-Attribut von NDS" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "loginExpirationTime-Attribut von NDS" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "loginAllowedTimeMap-Attribut von NDS" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "Attribut für öffentlichen SSH-Schlüssel" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" "Eine Liste der zusätzlich herunterzuladender Attribute zusammen mit dem " "Benutzereintrag" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "Basis-DN für Gruppen-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "Objektklasse für Gruppen" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Gruppenname" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Gruppenpasswort" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "Gruppen-ID-Attribut" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Gruppen-Mitgliedschafts-Attribut" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Änderungszeit-Attribut für Gruppen" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Typ der Gruppe und weitere Flags" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "Basis-DN für Netzgruppen-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Objektklasse für Netzgruppen" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Netzgruppenname" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Netzgruppen-Mitglieder-Attribut" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Netzgruppen-Tripel-Attribut" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Änderungszeit-Attribut für Netzgruppen" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Basis-DN für Dienste-Suchanfragen" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Objektklasse für Dienste" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Name-Attribut des Dienstes" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Port-Attribut des Dienstes" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Protokoll-Attribut des Dienstes" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Untere Grenze für ID-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Obere Grenze für ID-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "Anzahl der IDs für jeden Teil bei der ID-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "autorid-kompatiblen Algorithmus für ID-Zuweisung verwenden" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Name der Vorgabe-Domain für ID-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID der Vorgabedomain für ID-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Verwendung von Token-Gruppen" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Untere Grenze für zulässige IDs des LDAP-Servers angeben" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "Obere Grenze für zulässige IDs des LDAP-Servers angeben" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Regel zum Ermitteln der Ablaufzeit des Passworts" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" "Attribute, die bei der Ermittlung verwendet werden, ob ein Konto abgelaufen " "ist" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "Regeln für die Ermittlung der Zugriffskontrolle" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "URI eines LDAP-Servers, wo Passwortänderungen zulässig sind" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "URI eines Ersatz-LDAP-Servers, wo Passwortänderungen zulässig sind" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "DNS-Dienstname für den LDAP-Passwortänderungsserver" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1413,25 +1423,25 @@ msgstr "" "Gibt an, ob das Attribut ldap_user_shadow_last_change nach einer " "Passwortänderung aktualisiert werden soll" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Basis-DN für Suchanfragen nach Sudo-Regeln" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Periode für automatische vollständige Aktualisierung" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Periode für bedingte vollständige Aktualisierung" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" "Gibt an, ob Regeln nach Hostnamen, IP-Adressen oder Netzwerken gefiltert " "werden sollen" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1439,224 +1449,228 @@ msgstr "" "Hostnamen und/oder voll ausgeschriebene Domain-Namen dieses Rechners zum " "Filtern von Sudo-Regeln" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "IPv4- oder IPv6-Adressen oder Netzwerk dieses Rechners zum Filtern von sudo-" "Regeln" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Gibt an, ob Regeln im Host-Attribut einbezogen werden sollen, die " "Netzgruppen enthalten" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Gibt an, ob Regeln im Host-Attribut einbezogen werden sollen, die reguläre " "Ausdrücke enthalten" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Objektklasse für Sudo-Regeln" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Sudo-Regelname" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Befehlsattribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Host-Attribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Benutzer-Attribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Optionsattribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "runasuser-Attribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "runasgroup-Attribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "notbefore-Attribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "notafter-Attribut der sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Reihenfolge-Attribut der Sudo-Regel" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Objektklasse für Automounter-Zuweisungen" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Name-Attribut der Automounter-Zuweisung" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Objektklasse für Einträge von Automounter-Zuweisungen" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Schlüssel-Attribut des Automounter-Zuweisungseintrags" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Wert-Attribut des Automounter-Zuweisungseintrags" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Basis-DN für Suchanfragen nach Automounter-Zuweisungen" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Durch Kommata getrennte Liste der erlaubten Benutzer" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Durch Kommata getrennte Liste der verbotenen Benutzer" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Vorgabeshell, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Wurzel für Benutzerverzeichnisse" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Name der zu verwendenden NSS-Bibliothek" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" "Gibt an, ob wenn möglich im Zwischenspeicher nach dem kanonischen " "Gruppennamen gesucht werden soll" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Zu verwendender PAM-Stapel" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Zum Hintergrunddienst werden (Vorgabe)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Interaktiv ausführen (nicht als Hintergrunddienst)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Angabe einer nicht standardmäßigen Konfigurationsdatei" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Versionsnummer ausgeben und das Programm beenden" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Fehlerdiagnosestufe" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Debug-Zeitstempel hinzufügen" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Zeitstempel mit Mikrosekunden anzeigen" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Offener Dateideskriptor für die Debug-Protokolle" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1664,84 +1678,84 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Domain des Informationsanbieters (obligatorisch)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "Privilegierter Socket hat falsche Eigentums- oder Zugriffsrechte." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "Öffentlicher Socket hat falsche Eigentums- oder Zugriffsrechte." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Unerwartetes Format der Server-Anmeldenachricht." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD wird nicht durch Root ausgeführt." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" "Ein Fehler ist aufgetreten, aber es kann keine Beschreibung gefunden werden." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Unerwarteter Fehler beim Suchen nach einer Fehlerbeschreibung" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Server-Meldung: " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Passwörter stimmen nicht überein" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "Das Zurücksetzen des Passworts durch Root wird nicht unterstützt." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Authentifiziert mit zwischengespeicherten Anmeldedaten" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", Ihr zwischengespeichertes Passwort läuft ab am: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" "Ihr Passwort ist abgelaufen. Ihnen verbleiben nur noch %1$d Anmeldungen." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Ihr Passwort wird in %1$d %2$s ablaufen." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "Authentifizierung wird verweigert bis: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "System ist offline, Änderung des Passworts ist nicht möglich" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1749,65 +1763,65 @@ msgstr "" "Nach dem Ändern des OTP-Passworts müssen Sie sich ab- und wieder anmelden, " "um ein Ticket erhalten zu können" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Änderung des Passworts fehlgeschlagen. " -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Neues Passwort: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Neues Passwort wiederholen: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Passwort: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Aktuelles Passwort: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Passwort ist abgelaufen. Ändern Sie Ihr Passwort jetzt." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Stufe, mit der die Fehlerdiagnose ausgeführt werden soll" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "Die zu verwendende SSSD-Domain" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Fehler beim Setzen der Locale-Einstellung\n" @@ -1823,27 +1837,27 @@ msgstr "Benutzer nicht angegeben\n" msgid "Error looking up public keys\n" msgstr "Fehler beim Nachschlagen der öffentlichen Schlüssel\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "Der Port, der für die Verbindung zum Host benutzt werden soll" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Ungültiger Port\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Rechner nicht angegeben\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "Der Pfad zum Proxy-Befehl muss absolut sein\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1897,21 +1911,21 @@ msgstr "Hinzuzufügenden Benutzer angeben\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Fehler beim Initialisieren der Werkzeuge – keine lokale Domain\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Fehler beim Initialisieren der Werkzeuge\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Ungültige Domain in FQDN angegeben\n" @@ -1932,7 +1946,7 @@ msgstr "Gruppen müssen in der gleichen Domain wie Benutzer sein\n" msgid "Cannot find group %1$s in local domain\n" msgstr "Gruppe %1$s kann in lokaler Domain nicht gefunden werden\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Vorgabewerte können nicht gesetzt werden\n" @@ -2013,7 +2027,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2088,15 +2102,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Transaktionsfehler. Gruppe kann nicht geändert werden.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGruppe: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magic Private " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2145,73 +2159,73 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Interner Fehler. Gruppen können nicht ausgegeben werden.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Home-Verzeichnis und Mail-Spool entfernen" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Home-Verzeichnis und Mail-Spool nicht entfernen" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Das Löschen von Dateien erzwingen, die dem Benutzer nicht gehören" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Prozesse des Benutzers abwürgen, bevor dieser gelöscht wird" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Zu löschenden Benutzer angeben\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" "Benutzer %1$s ist außerhalb des für diese Domain festgelegten ID-Bereichs\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "SELinux-Anmeldekontext kann nicht zurückgesetzt werden\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "WARNUNG: Der Benutzer (uid %1$lu) war beim Löschen noch angemeldet.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" "Es kann nicht ermittelt werden, ob der Benutzer auf dieser Plattform " "angemeldet war." -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Fehler bei der Überprüfung, ob der Benutzer angemeldet war\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "Der nach dem Löschen auszuführende Befehl ist fehlgeschlagen: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "Home-Verzeichnis wird nicht entfernt – es gehört nicht dem Benutzer\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "Home-Verzeichnis kann nicht entfernt werden: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Kein solcher Benutzer in lokaler Domain. Entfernen von Benutzern ist nur in " "der lokalen Domain zulässig.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Interner Fehler. Benutzer konnte nicht entfernt werden.\n" @@ -2300,81 +2314,81 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Bestimmten Benutzer annullieren" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Alle Benutzer annullieren" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Bestimmte Gruppe annullieren" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Alle Gruppen annullieren" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Bestimmte Netzgruppe annullieren" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Alle Netzgruppen annullieren" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Bestimmten Dienst annullieren" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Alle Dienste annullieren" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Bestimmte autofs-Zuweisung annullieren" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Alle autofs-Zuweisungen annullieren" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Nur Einträge einer bestimmten Domain annullieren" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Bitte wählen Sie mindestens ein Objekt für die Annullierung\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2384,7 +2398,7 @@ msgstr "" "(trusted domain) handelt, verwenden Sie den voll ausgeschriebenen Namen " "anstelle des Parameters --domain/-d.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "Verfügbare Domains konnten nicht geöffnet werden\n" @@ -2419,7 +2433,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2429,7 +2442,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2505,32 +2517,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2543,12 +2576,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2557,17 +2588,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2588,27 +2617,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2616,17 +2640,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2635,52 +2653,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2693,27 +2720,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2723,7 +2745,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2732,7 +2753,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2747,7 +2767,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2757,7 +2776,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2814,122 +2832,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/es.po b/po/es.po index f2e0830a31a..d5dee5ecba4 100644 --- a/po/es.po +++ b/po/es.po @@ -18,7 +18,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2019-08-26 09:45+0000\n" "Last-Translator: Emilio Herrera \n" "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/" @@ -94,14 +94,14 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Tiempo máximo para los mensajes enviados a través de SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" "Expresión regular para analizar sintácticamente el nombre de usuario y " "dominio" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" "Formato compatible con printf para mostrar nombres completamente calificados" @@ -347,55 +347,65 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "Ruta al almacenamiento de los certificados CA de confianza" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "Lista de UIDs o nombres de usuario que tienen permitido acceder al " "contestador PAC" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "Longitud de datos PAC considerados válidos" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "Lista de UIDs y nombres de usuarios que tienen permitido el acceso al " "contestador InfoPipe" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "Lista de atributos de usuario que InforPipe tiene permitido publicar" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "El proveedor donde se almacenarán los secretos" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "El número máximo permitido de contenedores anidados" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "El número máximo de secretos que pueden ser almacenados" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "El número máximo de secretos que puede ser almacenado por UID" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "El tamaño de carga máxima de un secreto en kilobytes" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "El servidor URL Custodia está escuchando en" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "El método a usar cuando se autentica en un servidor Custodia" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" @@ -403,38 +413,38 @@ msgstr "" "El nombre de las cabeceras que se añadirán a una petición HTTP con el valor " "definido en auth_header_value" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "El valor que sssd-secrets debería usar para auth_header_name" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" "La lista de las cabeceras a enviar al servidor Custodia junto con la petición" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" "El nombre de usuario a usar cuando se autentifica en un servidor Custodia " "usando basic_auth" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" "La contraseña a usar cuando se autentifica en un servidor Custodia usando " "basic_auth" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" "Si es verdadero el certificado del par es verificado si proxy_url usa " "protocolo https" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" @@ -442,110 +452,110 @@ msgstr "" "Si es falso el certificado del par puede contener un nombre de host " "diferente que el proxy_url cuando se usa el protocolo https" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" "Ruta al directorio donde está almacenado el certificado de la autoridad de " "certificación" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "Ruta al fichero que contiene el certificado CA del servidor" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "Ruta al fichero que contiene el certificado del cliente" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "Ruta al fichero que contiene la clave privada del cliente" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Proveedor de identidad" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Proveedor de Autenticación" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Proveedor de control de acceso" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Proveedor de cambio de contraseña" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "Proveedor de SUDO" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Proveedor de Autofs" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Suministrador de identidad de host" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "Proveedor SELinux" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "Proveedor de gestión de sesión" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "Si el dominio es utilizable por el SO o por las aplicaciones" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "ID mínimo de usuario" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "ID máximo de usuario" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Habilitar la enumeración de todos los usuarios/grupos" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Hacer caché de las credenciales para ingresos fuera de línea" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Mostrar los usuarios/grupos en un formato completamente calificado" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "No incluye a los miembros del grupo en las búsquedas de grupo" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Tiempo máximo de una entrada del caché (segundos)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Restringir o preferir una familia de direcciones específica, cuando se " "realicen búsquedas DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "Por cuánto tiempo permitir ingresos cacheados luego del último (días)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" @@ -553,134 +563,134 @@ msgstr "" "Cuanto debería SSSD hablar con un único servidor DNS antes de intentar el " "siguiente servidor (milisegundos)" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" "Cuanto debería mantenerse intentando resolver una única petición DNS " "(segundos)" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Cantidad de tiempo (en segundos) a esperar respuestas desde DNS cuando se " "estén resolviendo servidores" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "La sección del dominio de la consulta para descubrir servicios DNS" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "Sustituye valor GID del proveedor de la identidad con este valor" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Trate al nombre de usuario con mayúsculas y minúsculas" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" "Frecuencia con la que deberían expirar las entradas refrescada en segundo " "plano" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Que actualice automáticamente las entradas del cliente DNS" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "El TTL a aplicar a la entrada del cliente DNS después de actualizarla" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "La interfaz cuya IP debería ser utilizada para actualizaciones DNS " "automáticas" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" "Frecuencia con la que actualizar periódicamente la entrada del cliente DNS" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" "Si el proveedor debería explícitamente actualizar el registro PTR también" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Si la utilidad nsupdate debería utilizar por defecto TCP" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Clase de autenticación que debería ser usada para llevar a cabo una " "actualización DNS" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" "Borrar el servidor DNS utilizado para llevar a cabo una actualización DNS" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Control de enumeración de los dominios de confianza" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Frecuencia con la que la lista de subdominios es refrescada" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "Lista de las opciones que serían heredadas a un subdominio" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "Valor homedir del subdominio por defecto" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" "Cuanto serán usadas las credenciales en cache para la autenticación en cache" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "Ya sea para crear grupos privados para usuarios" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Dominio IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Dirección del servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Dirección del servidor de respaldo IPA" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Nombre de equipo del cliente IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" "Si actualizar o no en forma automática la entrada DNS del cliente en FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Búsqueda base para objetos HBAC" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" "Cantidad de tiempo entre búsquedas de reglas HBAC contra el servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" @@ -688,65 +698,65 @@ msgstr "" "La cantidad de tiempo en segundos entre búsquedas de los mapas SELinux " "contra el servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" "Si se lo define en 'false', será ignorado el argumento de equipo ofrecido " "por PAM" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "La ubicación de montaje automático que este cliente de IPA está usando" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" "Buscar base para el objeto que contiene información sobre el dominio IPA" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" "Buscar base para los objetos que contienen información sobre los rangos ID" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" "Habilita la localización de sitios DNS en base al servicio de descubrimiento" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "Buscar base para la visualización de contenedores" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "Objectclass para visualizar contenedores" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "Atributo con el nombre de la vista" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "Objectclass para anular objetos" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "Atributo con la referencia al objeto original" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "Objectclass para anular objetos de usuario" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "Objectclass para anular objetos de grupo" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "Base de búsqueda para objetos relacionados con Desktop Profile" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" @@ -754,7 +764,7 @@ msgstr "" "La cantidad de tiempo en segundos entre las búsquedas de las reglas Desktop " "Profile contra el servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" @@ -763,40 +773,40 @@ msgstr "" "Profiles contra el servidor IPA cuando la última petición no ha encontrado " "ninguna regla" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Dominio Active Directory" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "Habilitar dominio Active Directory" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Dirección del servidor Active Directory" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Dirección del servidor de respaldo Active Directory" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Nombre de host del cliente de Active Directory" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Filtro LDAP para determinar privilegios de acceso" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Si se usa Global Catalog para búsquedas" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Modo de operación para control de acceso basado en GPO" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" @@ -804,7 +814,7 @@ msgstr "" "La cantidad de tiempo entre búsquedas de los ficheros de política GPO contra " "el servidor AD" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" @@ -812,7 +822,7 @@ msgstr "" "Servicio de nombres PAM que mapea a los ajustes de política GPO " "(Deny)InteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" @@ -820,269 +830,269 @@ msgstr "" "Servicio de nombres PAM que mapea a los ajustes de política GPO " "(Deny)RemoteInteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" "Servicio de nombres PAM que mapea a los ajustes de política GPO " "(Deny)NetworkLogonRight" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" "Servicio de nombres PAM que mapea a los ajustes de política GPO " "(Deny)BatchLogonRight" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" "Servicio de nombres PAM que mapea a los ajustes de política GPO " "(Deny)ServiceLogonRight" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" "Servicio de nombres PAM por el que el acceso basado en GPO será siempre " "alcanzado" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" "Servicio de nombres PAM por el que el acceso basado en GPO será siempre " "denegado" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" "Derecho de acceso por defecto (o permitir/denegar) a usar por el servicio de " "nombres PAM no mapeado" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "un sitio concreto a ser usado por el cliente" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" "Edad máxima en días antes de que la cuenta de contraseña debería ser renovada" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "Opción para afinar la tarea de renovación de la cuenta de la máquina" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Dirección del servidor Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Dirección del servidor de respaldo Kerberos" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Reinado Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Expiración de la autenticación" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Si se crean ficheros kdcinfo" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "Dónde soltar los fragmentos de configuración de krb5" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Directorio donde almacenar las credenciales cacheadas" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Ubicación del caché de credenciales del usuario" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Ubicación de la tabla de claves para validar las credenciales" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Habilitar la validación de credenciales" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" "Si se encuentra desconectado, almacena contraseñas para más tarde realizar " "una autenticación en línea" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "ciclo de vida renovable del TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "ciclo de vida del TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "tiempo entre dos comprobaciones para renovación " -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Habilita FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Selecciona el principal para su uso por FAST" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Habilita canonicalización principal" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Permite los principios de la empresa" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" "Un mapeo desde los nombres de usuario a los nombres de principal de Kerberos" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "El servidor en donde está ejecutándose el servicio de modificación de " "contraseña, en caso de no ser KDC. " -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, El URI del servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, La URI del servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "DN base predeterminado" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "El Tipo de Esquema a usar en el servidor LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "Modo usado para cambiar la contraseña de usuario" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "El DN Bind predeterminado" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "El tipo del token de autenticación del DN bind predeterminado" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "El token de autenticación del DN bind predeterminado" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Tiempo durante el que se intentará la conexión" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Tiempo durante el que se intentará operaciones LDAP sincrónicas" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Tiempo entre intentos de reconexión cuando esté fuera de línea" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Use solo el caso superior para nombres reales" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Archivo que contiene los certificados CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Ruta hacia un directorio certificado CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Fichero que contiene el certificado de cliente" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Fichero que contiene la llave de cliente" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Lista de posibles suites de cifrado" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Requiere la verificación de certificado TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Especificar el mecanismo sasl a usar" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Especifique el id de autorización sasl a usar" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Especifica el reinado de autorización sasl a ser utilizado" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Especificar los SSF mínimos para autorizaciones sasl de LDAP" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Tabla de clave del servicio Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Usar auth Kerberos para la conexión LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Seguir referencias LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Período de vida del TGT para la conexión LDAP" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Como eliminar aliases" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Nombre de servicio para busquedas de servicios DNS" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "La cantidad de registros a ser obtenidos en una única consulta LDAP" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "La cantidad de miembros que deben faltar para desencadenar una deref completa" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1090,389 +1100,389 @@ msgstr "" "Si la Biblioteca LDAP debería realizar una búsqueda inversa para " "canonicalizar el nombre del host durante un enlace SASL" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "atributo entryUSN" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "atributo lastUSN" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" "El período de tiempo máximo para retener una conexión con el servidor LDAP " "antes de desconectar" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Deshabilita el control de paginación LDAP" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Deshabilitar el rango de recuperación Active Directory" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Tiempo máximo a esperar un pedido de búsqueda" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "periodo de espera para solicitud de enumeración" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Tiempo en segundos entre las actualizaciones de enumeración" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "periodo de tiempo entre borrados de la caché" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Requiere TLS para búsquedas de ID" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "Usar el mapeado ID de objectSID en lugar de las IDs preajustadas" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "DN base para búsquedas de usuario" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Ambito de las búsquedas del usuario" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filtro para las búsquedas del usuario" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass para los usuarios" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Atributo Username" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Atributo UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Atributo GID primario" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Atributo GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Atributo Directorio de inicio" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Atributo shell" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "Atributo UUID" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "Atributo objectSID" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "Atributo primario del grupo Active Directory para el mapeado de ID" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Atributo principal del usuario (para Kerberos) " -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Nombre completo" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Atributo memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Atributo hora de modificación" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "atributo shadowLastChange" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "atributo shadowMin " -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "atributo shadowMax" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "atributo shadowWarning " -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "atributo shadowInactive " -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "atributo shadowExpire" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "atributo shadowFlag " -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "listado de atributos de servicios PAM autorizados" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Atributo de listado de equipos de servidor autorizados" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "Atributo listando los rhosts de los servidores autorizados" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "atributo krbLastPwdChange " -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "atributo krbPasswordExpiration " -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" "atributo indicando que las políticas de contraseña del lado del servidor " "están activas" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "atributo accountExpires de AD" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "atributo userAccountControl de AD" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "atributo nsAccountLock " -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "loginDisabled atributo de NDS" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "loginExpirationTime atributo de NDS" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "loginAllowedTimeMap atributo de NDS" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "Atributo de clave pública SSH" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" "atributo listando los tipos de autenticación permitidos para un usuario" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "atributo conteniendo el certificado X509 del usuario" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "atributo que contiene la dirección de correo electrónico del usuario" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" "Una lista de los atributos extra a descargar junto con la entrada del usuario" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "DN base para busqueda de grupos" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "clase objeto para" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Nombre del grupo" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Contraseña del grupo" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "Atributo GID" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Atributo de miembro del grupo" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "Atributo UUID de grupo" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Atributo de modificación de tiempo para los grupos" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Tipo del grupo y otras banderas" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "Atributo de miembro de grupo externo LDAP" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "Máximo nivel de anidamiento que seguirá SSSD" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "DN base para búsquedas de grupos de red" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Clases de objetos para grupos de red" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Nombre de grupo de red" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Atributo de miembros de grupos de red" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Atributo triple de grupo de red" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Atributo de modificación de tiempo para grupos de red" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Base DN para servicio de búsquedas" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Clase de objeto para servicio" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Atributo de nombre de servicio" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Atributo de puerto de servicio" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Atributo de protocolo de servidor" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Límite más bajo para el mapeo de ID" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Límite más alto para el mapeo de ID" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "Número de IDs por cada trozo cuando se mapean ID" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "Usar el algoritmo compatible con autorid para el mapeo de ID" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Nombre del dominio por defecto para el mapeo de ID" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID del dominio por defecto para el mapeo de ID" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "Número de trozos secundarios" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Si usar Token-Groups" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Fijar el límite más bajo de IDs permitidas desde el servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" "Fijar el límite más alto para las IDs permitidas desde el servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "DN para consultas ppolicy" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "Máximas entradas a recuperar durante una solicitud de comodín" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Política para evaluar el vencimiento de la contraseña" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" "Los atributos que deberán ser utilizados para evaluar si una cuenta ha " "expirado" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "Las reglas que deberían ser utilizadas para evaluar control de acceso" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" "URI de un servidor LDAP donde se permite la modificación de contraseñas" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" "URI de un servidor de respaldo LDAP donde están permitidos los cambios de " "contraseña" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" "Nombre del servicio DNS para el servidor de modificación de contraseñas LDAP" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1480,23 +1490,23 @@ msgstr "" "Si actualizar el atributo ldap_user_shadow_last_change después de un cambio " "de contraseña" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Base DN para búsquedas de reglas sudo" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Período de refresco total automático" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Período de refresco inteligente automático" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "Si filtrar la reglas por nombre de host, direcciones IP y red" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1504,217 +1514,221 @@ msgstr "" "Nombres de host y/o nombres de dominio totalmente cualificado de esta " "máquina para filtrar las reglas sudo" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "Direcciones o red IPv4 o IPv6 de esta máquina para filtrar reglas sudo" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "Si incluir reglas que contienen netgroup en el atributo de host" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Si incluir reglas que contengan expresiones regulares en el atributo de host" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Objeto clase para reglas sudo" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Nombre de regla sudo" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Atributo de regla de comando sudo" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Atributo de la regla host de sudo" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Atributo de la regla usuario de sudo" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Atributo de la regla opción de sudo" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "Atributo runas de regla sudo" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "Atributo de la regla suda runasuser" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "Atributo de regla runasgroup de sudo" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "Atributo de regla notbefore de sudo" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "Atributo de regla noafter de sudo" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Atributo de regla orden de sudo" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Objeto clase para mapas automontador" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Atributo de nombre de mapa de automontador" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Objeto clase para entradas de mapa de automontador" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Atributo de clave de entrada para mapa de automontador" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Atributo de valor de entrada para mapa de automontador" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Base DN para búsquedas de mapa de automontador" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Lista separada por comas de usuarios autorizados" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Lista separada por comas de usuarios prohibidos" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Shell predeterminado, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Base de los directorios de inicio" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "Número de hijos proxy prefabricados" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Nombre de la biblioteca NSS a usar" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "Si buscar el nombre canónico del grupo desde el cache si es posible" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Pila PAM a usar" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "Ruta de las fuentes del fichero passwd" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "Ruta de las fuentes del fichero group" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Convertirse en demonio (predeterminado)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Ejecutarse en forma interactiva (no un demonio)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "Deshabilitar el interfaz netlink" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Indicar un archivo de configuración diferente al predeterminado" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "Refrescar la base de datos de configuración, después salir" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "Similar a --genconf, pero solo refresca la sección dada" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Muestra el número de versión y finaliza" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "SSSD ya está corriendo\n" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Nive de depuración" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Agregar marcas de tiempo de depuración" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Mostrar marcas de tiempo con microsegundos" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Un arhivo abierto de descriptor para los registros de depuración" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "Enviar la salida de depuración a stderr directamente." -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "El usuario para crear FAST ccache como" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "El grupo para crear FAST ccache como" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "Reino Kerberos a usar" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "Tiempo de vida pedido del ticket" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "Teimpo de vida renovable pedido del ticket" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "Opciones FAST ('never', 'try', 'demand')" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "Especifica el servidor principal a usar por FAST" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "Solicita la canonización del nombre principal" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "Usar versión personal de krb5_get_init_creds_password" @@ -1722,83 +1736,83 @@ msgstr "Usar versión personal de krb5_get_init_creds_password" msgid "Domain of the information provider (mandatory)" msgstr "Dominio del proveedor de información (obligatorio)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "El zócalo privilegiado posee permisos o pertenencia equivocados." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "El zócalo público posee permisos o pertenencia equivocados." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Formato no esperado del mensaje de la credencial del servidor." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD no está siendo ejecutado por el usuario root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "El socket SSSD no existe." -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "No se pueden obtener estadísticas del socket SSSD." -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Ha ocurrido un error, pero no se ha podido encontrar una descripción." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" "Ha ocurrido un error no esperado mientras se buscaba la descripción del error" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "Permiso denegado." -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Mensaje del servidor:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Las contraseñas no coinciden" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "No existe soporte para reseteado de la contraseña por el usuario root." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Autenticado mediante credenciales cacheada" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", su contraseña cacheada vencerá el:" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "Su contraseña ha expirado. Usted tiene %1$d accesos restantes." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Su contraseña expirará en %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "La autenticación ha sido denegada hasta:" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "El sistema está fuera de línea, no se puede cambiar la contraseña" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1806,65 +1820,65 @@ msgstr "" "Después de cambiar la contraseña OTP, usted debe salir y volver a entrar con " "el objetivo de fijarla" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Falló el cambio de contraseña." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nueva contraseña: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Reingrese la contraseña nueva:" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "Primer Factor: " -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "Segundo Factor (opcional): " -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "Segundo Factor:" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Contraseña: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "Primer Factor (Contraseña Actual): " -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Contraseña actual: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "La contraseña ha expirado. Modifíquela en este preciso momento." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Nivel de depuración en que se debe ejecutar" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "El dominio SSSD a usar" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Error al poner la región\n" @@ -1880,27 +1894,27 @@ msgstr "Usuario no especificado\n" msgid "Error looking up public keys\n" msgstr "Error buscando claves públicas\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "El puerto a usar para conectar al host" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "Imprimir las claves públicas ssh del host" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Puerto no válido\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Host no especificado\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "La ruta al comando proxy debe ser absoluta\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "sss_ssh_knownhostsproxy: Podría no resolver el nombre de host %s\n" @@ -1953,21 +1967,21 @@ msgstr "Especifique el usuario a agregar\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Error al inicializar las herramientas - no hay dominio local\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Error al inicializar las herramientas\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Dominio inválido especificado en FQDN\n" @@ -1988,7 +2002,7 @@ msgstr "Los grupos deben estar en el mismo dominio que el usuario\n" msgid "Cannot find group %1$s in local domain\n" msgstr "No se puede encontrar el grupo %1$s en el dominio local\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "No se pudieron establecer los valores predeterminados\n" @@ -2067,7 +2081,7 @@ msgstr "El grupo %1$s está fuera del rango de ID definidas para el dominio\n" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2140,15 +2154,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Error de transacción. No se pudo modificar el grupo.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magia privada" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGroup: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magia privada" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2197,73 +2211,73 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Error interno. No se pudo imprimir el grupo.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Eliminar el directorio de inicio y el receptor de correo" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "No eliminar el directorio de inicio y el receptor de correo" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Forzar la eliminación de los archivos que no pertenecen al usuario" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Finaliza los procesos del usuario antes de eliminarlo" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Especifique el usuario a borrar\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "El usuario %1$s está fuera del rango de ID definido para el dominio\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "No es posible reiniciar contexto de registro de SELinux\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "PRECAUCIÓN: El usuario (uid %1$lu) estaba todavía conectado cuando se " "borró.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" "No es posible determinar si el usuario estaba registrado en esta plataforma" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Error mientras se verificaba si el usuario se encontraba registrado\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "El comando post-delete falló: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "No eliminando el directorio de inicio - no pertenece al usuario\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "No se puede borrar homedir: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "No existe ese usuario en el dominio local. La eliminación de usuarios se " "permite en el dominio local.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Error interno. No se pudo eliminar el usuario.\n" @@ -2351,71 +2365,71 @@ msgstr "No podría invalidar %1$s\n" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "No podría invalidar %1$s %2$s\n" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "Invalidar todas las entradas en el cache" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Usuario particular invalidado" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Todos los usuarios invalidados" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Invalidar grupo concreto" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Invalidar todos los grupos" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Invalidar un grupo de red concreto" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Invalidar todos los grupos de red" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Invalidar un servicio concreto" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Invalidar todos los servicios" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Invalidar mapa autofs concreto" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Invalidar todos los mapas autofs" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "Invalidar SSH host concreto" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "Invalidar todos los hosts SSH" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "Invalidar una regla sudo concreta" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "Invalidar todas las reglas sudo cacheadas" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Solo invalidar las entradas de un dominio concreto" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" @@ -2423,11 +2437,11 @@ msgstr "" "Se han suministrado argumento(s) no esperado, opciones que invalidan un " "único objeto solo aceptan que se les suministre un único argumento.\n" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Por favor seleccione al menos un objeto par invalidar\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2437,7 +2451,7 @@ msgstr "" "confiable), use el nombre totalmente cualificado en lugar de --domain/-d " "parametro.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "No podría abrir los dominios disponibles\n" @@ -2472,7 +2486,6 @@ msgid "Invalid result." msgstr "Resultado no válido." #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "Incapaz de leer la entrada del usuario\n" @@ -2482,7 +2495,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "Entrada no válida, por favor suministre bien '%s' o bien '%s'.\n" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "Error mientras se ejecutaba comando externo\n" @@ -2558,36 +2570,58 @@ msgstr "Tiempo de expiración de Initgroups" msgid "Search by group ID" msgstr "Búsqueda por ID de grupo" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 +#, fuzzy, c-format +msgid "Failed to open %s\n" +msgstr "Incapaz de analizar el nombre %s.\n" + +#: src/tools/sssctl/sssctl_config.c:75 +#, fuzzy, c-format +msgid "File %1$s does not exist.\n" +msgstr "El socket SSSD no existe." + +#: src/tools/sssctl/sssctl_config.c:79 +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"La propiedad del fichero y la comprobación de permisos fallaron. Se esperaba " +"root:root y 0600.\n" + +#: src/tools/sssctl/sssctl_config.c:85 #, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +#, fuzzy msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " +"There is no configuration. SSSD will use default configuration with files " "provider.\n" msgstr "" "Fichero %1$s no existe. SSSD usará la configuración predeterminada con " "ficheros del suministrador.\n" -#: src/tools/sssctl/sssctl_config.c:81 -#, c-format -msgid "" -"File ownership and permissions check failed. Expected root:root and 0600.\n" +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" msgstr "" -"La propiedad del fichero y la comprobación de permisos fallaron. Se esperaba " -"root:root y 0600.\n" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "Cuestiones identificadas por los validadores: %zu\n" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "Mensajes generados durante la configuración de la fusión: %zu\n" -#: src/tools/sssctl/sssctl_config.c:127 -#, c-format -msgid "Used configuration snippet files: %u\n" +#: src/tools/sssctl/sssctl_config.c:137 +#, fuzzy, c-format +msgid "Used configuration snippet files: %zu\n" msgstr "Configuración usada retazos de ficheros: %u\n" #: src/tools/sssctl/sssctl_data.c:89 @@ -2600,12 +2634,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "Respaldo SSSD de datos locales ya existe, ¿anular?" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "Incapaz de exportar usuarios anulados\n" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "Incapaz de exportar grupos anulados\n" @@ -2614,17 +2646,15 @@ msgid "Override existing backup" msgstr "Anular respaldo existente" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "Incapaz de importar usuario anulado\n" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "Incapaz de importar grupo anulado\n" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "Arrancar SSSD si no está corriendo" @@ -2645,29 +2675,24 @@ msgid "Start SSSD when the cache is removed" msgstr "Iniciar SSSD cuando se haya borrado el cache" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "Creando respaldo de los datos locales...\n" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" "Incapaz de crear el respaldo de los datos locales, no se puede quitar el " "cache.\n" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "Borrando los ficheros del cache...\n" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "Incapaz de borrar ficheros en cache\n" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "Restaurando datos locales...\n" @@ -2677,17 +2702,11 @@ msgstr "" "Muestra la lista de dominio incluyendo los tipos de dominios primarios y de " "confianza" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "¡Incapaz de conectar al bus del sistema!\n" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "Estado en línea: %s\n" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "En línea" @@ -2696,52 +2715,62 @@ msgstr "En línea" msgid "Offline" msgstr "Fuera de línea" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "Estado en línea: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:213 +#, fuzzy +msgid "This domain has no active servers.\n" +msgstr "Mostrar información sobre el servidor activo" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "Servidores activos:\n" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "no conectado" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "Descubiertos %s servidores:\n" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "Ninguno tan lejos.\n" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "Mostrar el estado en línea" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "Mostrar información sobre el servidor activo" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "Mostrar la lista de servidores descubiertos" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "Especificar el nombre de dominio." -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "¡Fuera de memoria!\n" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "Incapaz de obtener el estado en línea\n" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "Incapaz de obtener la lista de servidores\n" @@ -2754,27 +2783,22 @@ msgid "Delete log files instead of truncating" msgstr "Borrar los ficheros de registro en lugar de dividirlos" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "Borrando ficheros de registro...\n" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "Incapaz de borrar los ficheros de registro\n" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "Truncando ficheros de registro...\n" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "Incapaz de truncar los ficheros de registro\n" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "¡Fuera de memoria!" @@ -2784,7 +2808,6 @@ msgid "Archiving log files into %s...\n" msgstr "Archivando ficheros de registro en %s...\n" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "Incapaz de archivar los ficheros de registro\n" @@ -2793,7 +2816,6 @@ msgid "Specify debug level you want to set" msgstr "Especifique el nivel de depuración que desea fijar" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "SSSD InfoPipe resultado de la búsqueda de usuario:\n" @@ -2808,7 +2830,6 @@ msgid "dlsym failed with [%s].\n" msgstr "dlsym falló con with [%s].\n" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "malloc falló.\n" @@ -2818,7 +2839,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "sss_getpwnam_r falló con [%d].\n" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "Resultado de la búsqueda de usuario SSSD nss:\n" @@ -2881,23 +2901,22 @@ msgstr "" "servicio: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "Búsqueda de nombre de usuario con [%s] falló.\n" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "Búsqueda de Usuario InfoPipe con [%s] falló.\n" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "pam_start falló: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" @@ -2905,12 +2924,12 @@ msgstr "" "probando pam_authenticate\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "pam_get_item falló: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" @@ -2919,8 +2938,7 @@ msgstr "" "pam_authenticate para usuario [%s]: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" @@ -2928,7 +2946,7 @@ msgstr "" "probando pam_chauthtok\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" @@ -2937,8 +2955,7 @@ msgstr "" "pam_chauthtok: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" @@ -2946,7 +2963,7 @@ msgstr "" "probando pam_acct_mgmt\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" @@ -2955,8 +2972,7 @@ msgstr "" "pam_acct_mgmt: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" @@ -2964,7 +2980,7 @@ msgstr "" "probando pam_setcred\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" @@ -2973,8 +2989,7 @@ msgstr "" "pam_setcred: [%s]\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" @@ -2982,7 +2997,7 @@ msgstr "" "probando pam_open_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" @@ -2991,8 +3006,7 @@ msgstr "" "pam_open_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" @@ -3000,7 +3014,7 @@ msgstr "" "probando pam_close_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" @@ -3009,18 +3023,15 @@ msgstr "" "pam_close_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "acción desconocida\n" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "Entorno PAM:\n" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr " - no env -\n" diff --git a/po/eu.po b/po/eu.po index 0d4a2a53a4b..dce3b6ba408 100644 --- a/po/eu.po +++ b/po/eu.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:45+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/" @@ -78,12 +78,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -297,1280 +297,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Gutxienezko erabiltzaile IDa" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Gehienezko erabiltzaile IDa" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA domeinua" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA zerbitzariaren helbidea" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "IPA bezeroaren ostalari-izena" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "FAST gaitzen du" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "entryUSN atributua" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "lastUSN atributua" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "UID atributua" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "objectSID atributua" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Izen osoa" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "shadowLastChange atributua" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "shadowMin atributua" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "shadowMax atributua" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "shadowWarning atributua" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "shadowInactive atributua" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "shadowExpire atributua" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "shadowFlag atributua" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "krbLastPwdChange atributua" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "krbPasswordExpiration atributua" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "ADren accountExpires atributua" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "ADren userAccountControl atributua" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "nsAccountLock atributua" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Talde-izena" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Taldearen pasahitza" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "GID atributua" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Shell lehenetsia, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Inprimatu bertsio zenbakia eta irten" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Arazketa maila" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Gehitu arazketako data-zigiluak" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1578,146 +1592,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Huts egin du pasahitza aldatzeak. " -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Pasahitz berria: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Berriz sartu pasahitz berria: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Pasahitza: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Uneko pasahitza: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Pasahitza iraungita. Aldatu zure pasahitza orain." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1733,27 +1747,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "Errorea gako publikoak bilatzean\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "Ostalarira konektatzeko erabiliko den ataka" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1805,21 +1819,21 @@ msgstr "Zehaztu gehitu beharreko erabiltzailea\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Errorea tresnak hasieratzean - domeinu lokalik ez\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Errorea tresnak hasieratzean\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Baliogabeko domeinua zehaztu da FQDN-n\n" @@ -1840,7 +1854,7 @@ msgstr "Taldeek erabiltzailearen domeinu berean egon behar dute\n" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Ezin dira balio lehenetsiak ezarri\n" @@ -1917,7 +1931,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1979,15 +1993,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sTaldea: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2030,68 +2044,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2170,88 +2184,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Baliogabetu erabiltzaile bat" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Baliogabetu erabiltzaile guztiak" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Baliogabetu talde bat" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Baliogabetu talde guztiak" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Baliogabetu zerbitzu bat" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Baliogabetu zerbitzu guztiak" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2286,7 +2300,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2296,7 +2309,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2372,32 +2384,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2410,12 +2443,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2424,17 +2455,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2455,27 +2484,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2483,17 +2507,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2502,52 +2520,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2560,27 +2587,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2590,7 +2612,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2599,7 +2620,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2614,7 +2634,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2624,7 +2643,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2681,122 +2699,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/fr.po b/po/fr.po index 377d65362a6..db16ecd3954 100644 --- a/po/fr.po +++ b/po/fr.po @@ -13,7 +13,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2016-02-24 03:43+0000\n" "Last-Translator: Jérôme Fenal \n" "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/" @@ -86,12 +86,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Délai d'attente pour les messages à envoyer à travers SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Expression rationnelle d'analyse des noms d'utilisateur et de domaine" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Format compatible printf d'affichage des noms complétement qualifiés" @@ -334,426 +334,436 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur PAC" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur " "InfoPipe" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "Liste des attributs utilisateur que l'InfoPipe est autorisé à publier" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Fournisseur d'identité" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Fournisseur d'authentification" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Fournisseur de contrôle d'accès" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Fournisseur de changement de mot de passe" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "Fournisseur SUDO" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Fournisseur autofs" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Fournisseur d'identité de l'hôte" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Identifiant utilisateur minimum" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Identifiant utilisateur maximum" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Activer l'énumération de tous les utilisateurs/groupes" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Mettre en cache les crédits pour une connexion hors-ligne" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Afficher les utilisateurs/groupes dans un format complétement qualifié" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "Ne pas inclure les membres des groupes dans les recherches de groupes." -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Durée de validité des entrées en cache (en secondes)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "Restreindre ou préférer une famille d'adresses lors des recherches DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Durée de validité des entrées en cache après la dernière connexion réussie " "(en jours)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Délai d'attente des réponses du DNS lors de la résolution des serveurs (en " "secondes)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "La partie domaine de la requête de découverte de service DNS" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "Écraser la valeur du GID du fournisseur d'identité avec cette valeur" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Considère les noms d'utilisateur comme casse dépendant" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Fréquence de rafraîchissement en arrière plan des entrées expirées" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Choisir de mettre à jour automatiquement l'entrée DNS du client" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "Le TTL à appliquer à l'entrée DNS du client après modification" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "L'interface dont l'adresse IP doit être utilisée pour les mises à jour " "dynamiques du DNS" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Fréquence de mise à jour automatique de l'entrée DNS du client" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" "Selon que le fournisseur doit aussi ou non mettre à jour explicitement " "l'enregistrement PTR" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Selon que l'utilitaire nsupdate doit utiliser TCP par défaut" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Quel type d'authentification doit être utilisée pour effectuer la mise à " "jour DNS" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Contrôle l'énumération des domaines approuvés" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Fréquence de rafraîchissement des sous-domaines" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "Listes des options qui doivent être héritées dans le sous-domaine" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Domaine IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Adresse du serveur IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Adresse du serveur IPA de secours" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Nom de système du client IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" "Choisir de mettre à jour automatiquement l'entrée DNS du client dans FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Base de recherche pour les objets HBAC" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "Délai entre les recherches de règles HBAC sur le serveur IPA" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "Délai entre les recherches de cartes SELinux sur le serveur IPA" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "Si mit à false, l’argument de l'hôte donné par PAM est ignoré" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" "L'emplacement de la carte de montage automatique utilisée par le client IPA" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" "Base de recherche pour l'objet contenant les informations de base à propos " "du domaine IPA" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" "Base de recherche pour les objets contenant les informations à propos des " "plages d'ID" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "Activer les sites DNS - découverte de service basée sur l'emplacement" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "Base de recherche des conteneurs de vues" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "Classe d'objet pour les conteneurs de vues" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "Attribut avec le nom de la vue" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "Classe d'objet surchargeant les objets" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "Attribut faisant référence à l'objet originel " -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "Classe d'objet surchargeant les utilisateurs" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "Classe d'objet surchargeant les groupes" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Domaine Active Directory" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Adresse du serveur Active Directory" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Adresse du serveur Active Directory de secours" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Nom de système du client Active Directory" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Filtre LDAP pour déterminer les autorisations d'accès" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Choisir d'utiliser ou non le catalogue global pour les recherches" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Mode opératoire pour les contrôles d'accès basé sur les GPO" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" @@ -761,7 +771,7 @@ msgstr "" "Durée entre les recherches de fichiers de politiques de GPO dans le serveur " "AD" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" @@ -769,7 +779,7 @@ msgstr "" "Noms de services PAM correspondant à la configuration de la politique " "(Deny)InteractiveLogonRight de la GPO" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" @@ -777,268 +787,268 @@ msgstr "" "Noms de services PAM correspondant à la configuration de la politique " "(Deny)RemoteInteractiveLogonRight de la GPO" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" "Noms de services PAM correspondant à la configuration de la politique " "(Deny)NetworkLogonRight de la GPO" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" "Noms de services PAM correspondant à la configuration de la politique " "(Deny)BatchLogonRight de la GPO" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" "Noms de services PAM correspondant à la configuration de la politique " "(Deny)ServiceLogonRight de la GPO" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" "Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " "toujours autorisés" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" "Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " "toujours interdits" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" "Droit de connexion par défaut (ou permission/interdiction) à utiliser pour " "les noms de services sans correspondance" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "un site particulier utilisé par le client" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Adresse du serveur Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Adresse du serveur Kerberos de secours" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Domaine Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Délai avant expiration de l'authentification" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Choisir de créer ou non les fichiers kdcinfo" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "Où déposer les extraits de configuration krb5" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Répertoire pour stocker les caches de crédits" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Emplacement du cache de crédits de l'utilisateur" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Emplacement du fichier keytab de validation des crédits" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Activer la validation des crédits" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" "Stocker le mot de passe, si hors-ligne, pour une authentification ultérieure " "en ligne" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Durée de vie renouvelable du TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Durée de vie du TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Durée entre deux vérifications pour le renouvellement" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Active FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Sélectionne le principal à utiliser avec FAST" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Active la canonisation du principal" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Active les principals d'entreprise" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Serveur où tourne le service de changement de mot de passe s'il n'est pas " "sur le KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, l'adresse du serveur LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, l'URI du serveur LDAP" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "La base DN par défaut" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Le type de schéma utilisé sur le serveur LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Le DN de connexion par défaut" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Le type de jeton d'authentification du DN de connexion par défaut" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Le jeton d'authentification du DN de connexion par défaut" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Durée pendant laquelle il sera tenté d'établir la connexion" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Durée pendant laquelle il sera tenté des opérations LDAP synchrones" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Durée d'attente entre deux essais de reconnexion en mode hors-ligne" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "N'utiliser que des majuscules pour les noms de domaine" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Fichier contenant les certificats des CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Chemin vers le répertoire de certificats des CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Fichier contenant le certificat client" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Fichier contenant la clé du client" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Liste des suites de chiffrement possibles" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Requiert une vérification de certificat TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Spécifier le mécanisme SASL à utiliser" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Spécifier l'identité d'authorisation SASL à utiliser" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Spécifier le domaine d'authorisation SASL à utiliser" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Spécifie le minimum SSF pour l'autorisation sasl LDAP" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Service du fichier keytab de Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Utiliser l'authentification Kerberos pour la connexion LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Suivre les référents LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Durée de vie du TGT pour la connexion LDAP" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Comment déréférencer les alias" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Nom du service pour les recherches DNS" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "Le nombre d'enregistrements à récupérer dans une requête LDAP unique" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "Nombre de membres qui doivent être manquants pour activer un déréférencement " "complet" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1046,389 +1056,389 @@ msgstr "" "Est-ce que la bibliothèque LDAP doit effectuer une requête pour canoniser le " "nom d'hôte pendant une connexion SASL ?" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "attribut entryUSN" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "attribut lastUSN" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" "Combien de temps conserver la connexion au serveur LDAP avant de se " "déconnecter" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Désactiver le contrôle des pages LDAP" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Désactiver la récupération de plage Active Directory." -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Durée d'attente pour une requête de recherche" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Durée d'attente pour une requête d'énumération" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Durée entre deux mises à jour d'énumération" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Durée entre les nettoyages de cache" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "TLS est requis pour les recherches d'identifiants" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" "Utilisation de la correspondance d'ID pour les objectSID au lieu d'ID pré-" "établis" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Base DN pour les recherches d'utilisateurs" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Scope des recherches d'utilisateurs" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filtre pour les recherches d'utilisateurs" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Classe d'objet pour les utilisateurs" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Attribut de nom d'utilisateur" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Attribut UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Attribut de GID primaire" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Attribut GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Attribut de répertoire utilisateur" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Attribut d'interpréteur de commandes" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "attribut UUID" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "attribut objectSID" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "Groupe primaire Active Directory pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Attribut d'utilisateur principal (pour Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Nom complet" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Attribut memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Attribut de date de modification" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "Attribut shadowLastChange" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "Attribut shadowMin" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "Attribut shadowMax" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "Attribut shadowWarning" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "Attribut shadowInactive" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "Attribut shadowExpire" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "Attribut shadowFlag" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "Attribut listant les services PAM autorisés" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Attribut listant les systèmes serveurs autorisés" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "Attribut krbLastPwdChange" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "Attribut krbPasswordExpiration" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" "Attribut indiquant que la stratégie de mot de passe du serveur est active" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "Attribut AD accountExpires" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "Attribut AD userAccountControl" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "Attribut nsAccountLock" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "Attribut NDS loginDisabled" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "Attribut NDS loginExpirationTime" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "Attribut NDS loginAllowedTimeMap" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "Attribut de clé public SSH" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" "attribut énumérant les types d'authentification autorisés pour un utilisateur" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "attribut contenant le certificat X509 de l'utilisateur" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" "Une liste des attributs supplémentaires à télécharger avec l'entrée de " "l'utilisateur" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "DN de base pour les recherches de groupes" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "Classe d'objet pour les groupes" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Nom du groupe" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Mot de passe du groupe" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "Attribut GID" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Attribut membre du groupe" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "attribut de l'UUID du groupe" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Attribut de date de modification pour les groupes" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Type de groupe et autres indicateurs" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "DN de base pour les recherches de netgroup" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Classe d'objet pour les groupes réseau" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Nom du groupe réseau" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Attribut des membres des groupes réseau" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Attribut triplet du groupe réseau" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Attribut date de modification pour les groupes réseau" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Nom de domaine (DN) de base pour les recherches de service" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Classe objet pour les services" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Attribut de nom de service" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Attribut de port du service" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Attribut de service du protocole" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Limite inférieure pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Limite supérieure pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "Nombre d'ID par tranche pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" "Utilisation d'un algorithme compatible autorid pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Nom du domaine par défaut pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID du domaine par défaut pour la correspondance d'ID" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Choisir d'utiliser ou non les groupes de jetons" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" "Définir la limite inférieure d'identifiants autorisés pour l'annuaire LDAP" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" "Définir la limite supérieure d'identifiants autorisés pour l'annuaire LDAP" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "DN pour les requêtes sur ppolicy" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Stratégie d'évaluation de l'expiration du mot de passe" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "Quels attributs utiliser pour déterminer si un compte a expiré" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "Quelles règles utiliser pour évaluer le contrôle d'accès" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "URI d'un serveur LDAP où les changements de mot de passe sont acceptés" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" "URI d'un serveur LDAP de secours où sont autorisées les modifications de mot " "de passe" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "Nom du service DNS pour le serveur de changement de mot de passe LDAP" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1436,23 +1446,23 @@ msgstr "" "Choix de mise à jour de l'attribut ldap_user_shadow_last_change après un " "changement de mot de passe" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Nom de domaine (DN) de base pour les recherches de règles sudo" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Périodicité de rafraichissement total" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Périodicité de rafraichissement intelligent" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "Filter ou non sur les noms de systèmes, adresses IP et réseaux" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1460,221 +1470,225 @@ msgstr "" "Noms de systèmes et/ou noms pleinement qualifiés de cette machine pour " "filtrer les règles sudo" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "Adresses ou réseaux IPv4 ou IPv6 de cette machine pour filtrer les règles " "sudo" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Inclure ou non les règles qui contiennent un netgroup dans l'attribut host" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Inclure ou non les règles qui contiennent une expression rationnelle dans " "l'attribut host" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Classe objet pour les règles sudo" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Règle de nom sudo" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Attribut de commande de règle sudo" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Attribut hôte de la règle sudo" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Attribut utilisateur de la règle sudo" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Attribut option de la règle sudo" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "Attribut de règle sudo runas" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "Attribut runasuser de la règle sudo" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "Attribut runasgroup de la règle sudo" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "Attribut notbefore de la règle sudo" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "Attribut notafter de règle sudo" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Attribut d'ordre de règle sudo" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Classe objet pour la carte de montage automatique" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Nom de l'attribut de carte de montage automatique" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Classe objet pour l'entrée de référence de montage automatique" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Attribut de clé d'entrée pour la carte de montage automatique" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Attribut de valeur pour la carte de montage automatique" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Base DN pour les requêtes de carte de montage automatique" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Liste, séparée par des virgules, d'utilisateurs autorisés" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Liste, séparée par des virgules, d'utilisateurs interdits" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Interpréteur de commande par défaut : /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Base pour les répertoires utilisateur" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Nom de la bibliothèque NSS à utiliser" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "Rechercher le nom canonique du groupe dans le cache si possible" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Pile PAM à utiliser" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Devenir un démon (par défaut)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Fonctionner en interactif (non démon)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Définir un fichier de configuration différent de celui par défaut" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Afficher le numéro de version et quitte" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Niveau de débogage" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Ajouter l'horodatage au débogage" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Afficher l'horodatage en microsecondes" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Un descripteur de fichier ouvert pour les journaux de débogage" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "Envoyer la sortie de débogage directement vers l'erreur standard." -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "L'utilisateur à utiliser pour la création du ccache FAST" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "Le groupe à utiliser pour la création du ccache FAST" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1682,87 +1696,87 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Domaine du fournisseur d'informations (obligatoire)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" "Le socket privilégié a de mauvaises permissions ou un mauvais propriétaire." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" "Le socket public a de mauvaises permissions ou un mauvais propriétaire." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Le message du serveur de crédits a un format inattendu." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD n'est pas démarré par root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Une erreur est survenue mais aucune description n'est trouvée." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Erreur inattendue lors de la recherche de la description de l'erreur" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "Accès refusé." -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Message du serveur : " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Les mots de passe ne correspondent pas" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" "La réinitialisation du mot de passe par root n'est pas prise en charge." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Authentifié avec les crédits mis en cache" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", votre mot de passe en cache expirera à :" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" "Votre mot de passe a expiré. Il vous reste %1$d connexion(s) autorisée(s)." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Votre mot de passe expirera dans %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "L'authentification est refusée jusque :" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" "Le système est hors-ligne, les modifications du mot de passe sont impossibles" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1770,65 +1784,65 @@ msgstr "" "Après avoir modifié le mot de passe OTP, vous devez vous déconnecter et vous " "reconnecter afin d'acquérir un ticket" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Échec du changement de mot de passe." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nouveau mot de passe : " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Retaper le nouveau mot de passe : " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "Premier facteur :" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "Second facteur :" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Mot de passe : " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Mot de passe actuel : " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Mot de passe expiré. Changez votre mot de passe maintenant." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Le niveau de débogage utilisé avec" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "Le domaine SSSD à utiliser" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Erreur lors du paramétrage de la locale\n" @@ -1844,27 +1858,27 @@ msgstr "Utilisateur non spécifié\n" msgid "Error looking up public keys\n" msgstr "Erreur lors de la recherche des clés publiques\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "Le port à utiliser pour se connecter à l'hôte" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Port invalide\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Hôte non spécifié\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "Le chemin vers la commande de proxy doit être absolue\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1916,21 +1930,21 @@ msgstr "Définir l'utilisateur à ajouter à\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Erreur à l'initialisation des outils - aucun domaine local\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Erreur à l'initialisation des outils\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Domaine invalide définit dans le FQDN\n" @@ -1951,7 +1965,7 @@ msgstr "Les groupes doivent être dans le même domaine que l'utilisateur\n" msgid "Cannot find group %1$s in local domain\n" msgstr "Impossible de trouver le groupe %1$s dans le domaine local\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Impossible de définir les valeurs par défaut\n" @@ -2035,7 +2049,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2111,15 +2125,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Erreur de transaction. Impossible de modifier le groupe.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magie privée" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGroup: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magie privée" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2168,77 +2182,77 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Erreur interne. Impossible d'afficher le groupe.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Suppression du répertoire personnel et de gestion des mails" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Ne pas supprimer le répertoire personnel et de gestion des mails" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Forcer la suppression des fichiers n'appartenant pas à l'utilisateur" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Tuer les processus de l'utilisateur avant de le supprimer" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Définir l'utilisateur à supprimer\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" "L'utilisateur %1$s est en dehors de la plage d'identifiants définie pour le " "domaine\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "Impossible de réinitialiser le contexte de connexion SELinux\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "ATTENTION : l'utilisateur (uid %1$lu) était encore connecté lors de sa " "suppression.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" "Impossible de savoir si l'utilisateur était connecté sur cette plateforme" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Erreur en vérifiant si l'utilisateur était connecté\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "La commande post-suppression a échoué : %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" "Le répertoire personnel n'est pas supprimé - l'utilisateur n'en est pas le " "propriétaire\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "Impossible de supprimer le répertoire utilisateur : %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Aucun utilisateur dans le domaine local. La suppression des utilisateurs " "n'est autorisée que dans le domaine local.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Erreur interne. Impossible de supprimer l'utilisateur.\n" @@ -2326,81 +2340,81 @@ msgstr "Impossible d'invalider %1$s\n" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "Impossible d'invalider %1$s %2$s\n" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Invalider un utilisateur spécifique" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Invalider tous les utilisateurs" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Invalider un groupe particulier" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Invalider tous les groupes" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Invalider un groupe réseau particulier" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Invalider tous les groupes réseau" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Invalidation d'un service particulier" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Invalidation de tous les services" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Invalidation d'une carte autofs particulière" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Invalidation de toutes les cartes autofs" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "Invalider un hôte SSH particulier" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "Invalider tous les hôtes SSH" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "N'invalider des entrées que d'un domaine spécifique" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Merci de sélectionner au moins un objet à invalider\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2410,7 +2424,7 @@ msgstr "" "(domaine approuvé), utiliser le nom pleinement qualifié au lieu du paramètre " "--domain/-d.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "Impossible d'ouvrir aucun des domaines disponibles\n" @@ -2446,7 +2460,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2456,7 +2469,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2532,32 +2544,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2570,12 +2603,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2584,17 +2615,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2615,27 +2644,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2643,17 +2667,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2662,52 +2680,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2720,27 +2747,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2750,7 +2772,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2759,7 +2780,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2774,7 +2794,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2784,7 +2803,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2841,122 +2859,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/hu.po b/po/hu.po index 51d1c562bbe..d49e394512f 100644 --- a/po/hu.po +++ b/po/hu.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:45+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Hungarian (http://www.transifex.com/projects/p/sssd/language/" @@ -80,12 +80,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -299,1280 +299,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Azonosító-kiszolgáló" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Legkisebb felhasználói azonosító" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Legnagyobb felhasználói azonosító" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Azonosítók gyorsítótárazása offline használathoz" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Bejegyzés-gyorsítótár érvényessége (másodperc)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA-tartomány" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA kiszolgáló címe" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "IPA kliens hosztneve" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Kerberos-kiszolgáló címe" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Kerberos-tartomány" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Időtúllépés azonosításkor" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, az LDAP szerver URI-ja" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Alapértelmezett LDAP alap-DN-je" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Az LDAP szerveren használt séma-típus, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Az alapértelmezett bind DN" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "A kapcsolódási próbálkozás időtartama" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "A CA tanusítványokat tartalmazó fájl" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "TLS tanusítvány ellenőrzése" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "TLS megkövetelése ID keresésekor" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "GECOS attribútum" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Shell attribútum" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Teljes név" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "memberOf attribútum" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Csoport neve" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Csoport jelszava" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Alapértelmezett shell, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Időbélyegek a hibakeresési kimenetben" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Mikroszekundum pontosságú időbélyegek" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1580,146 +1594,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "Az SSSD nem root-ként fut." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Hiba lépett fel, de nem érhetőek el részletek." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Szerver üzenete:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "A jelszavak nem egyeznek" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "A jelszó root általi visszaállítása nem támogatott." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Azonosítva gyorsítótárazott adatbázisból" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", a gyorsítótárazott jelszó lejár ekkor: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "A bejelentkezés tiltott eddig:" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "A rendszer nem érhető el, a jelszó megváltoztatása nem lehetséges" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "A jelszó megváltoztatása nem sikerült." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Új jelszó:" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Jelszó mégegyszer: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Jelszó: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Jelenlegi jelszó:" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "A jelszava lejárt, változtass meg most." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1735,27 +1749,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1807,21 +1821,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1842,7 +1856,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Nem lehet beállítani az alapértékeket\n" @@ -1921,7 +1935,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1983,15 +1997,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2034,68 +2048,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Ne törölje a saját könyvtárat és a helyi levelezést" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Nem a felhasználó tulajdonában lévő fájlok törlése" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Felhasználó programjainak kilövése az eltávolítás előtt" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Adja meg a törlendő felhasználót\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Belső hiba történt, nem lehetett eltávolítani a felhasználót.\n" @@ -2174,88 +2188,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2290,7 +2304,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2300,7 +2313,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2376,32 +2388,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2414,12 +2447,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2428,17 +2459,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2459,27 +2488,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2487,17 +2511,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2506,52 +2524,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2564,27 +2591,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2594,7 +2616,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2603,7 +2624,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2618,7 +2638,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2628,7 +2647,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2685,122 +2703,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/id.po b/po/id.po index ecfe3524a42..3ffde26aaeb 100644 --- a/po/id.po +++ b/po/id.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:46+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Indonesian (http://www.transifex.com/projects/p/sssd/language/" @@ -77,12 +77,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -296,1280 +296,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Penyedia identitas" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Penyedia otentikasi" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Penyedia kontrol akses" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Penyedia pengubah kata sandi" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "ID pengguna minimum" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "ID pengguna maksimum" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Domain IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Alamat server IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Nama host klien IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Alamat server Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Realm Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, URI server LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Jenis Skema yang digunakan pada server LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Lamanya waktu untuk mencoba koneksi" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Lamanya waktu untuk mencoba operasi LDAP yang sinkron" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Lamanya waktu antara upaya untuk menyambung kembali saat luring" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Membutuhkan verifikasi sertifikat TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Tentukan mekanisme sasl yang digunakan" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Tentukan id otorisasi sasl yang digunakan" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Keytab layanan Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Gunakan otentikasi Kerberos untuk koneksi LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Lingkup pencarian pengguna" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filter pencarian pengguna" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass untuk pengguna" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Atribut Nama pengguna" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Atribut UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Atribut GID Primer" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Atribut GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Atribut direktori Home" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Atribut Shell" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Atribut utama pengguna (untuk Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Nama Lengkap" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Atribut memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Atribut waktu modifikasi" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Daftar pengguna yang diijinkan dalam format yang dipisahkan koma" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Daftar pengguna yang tidak diijinkan dalam format yang dipisahkan koma" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Shell default, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1577,146 +1591,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Pesan server:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Kata sandi tidak cocok" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Sistem sedang luring, perubahan kata sandi tidak dimungkinkan" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Perubahan kata sandi gagal." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Kata Sandi Baru: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Masukkan lagi kata sandi baru:" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Kata sandi:" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Kata sandi saat ini:" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1732,27 +1746,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1804,21 +1818,21 @@ msgstr "Tentukan pengguna untuk ditambahkan\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Gagal saat menginisialisasi perkakas\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Domain yang ditentukan dalam FQDN tidak valid\n" @@ -1839,7 +1853,7 @@ msgstr "Grup harus berada dalam domain yang sama dengan pengguna\n" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Tidak dapat menetapkan nilai default\n" @@ -1917,7 +1931,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1986,15 +2000,15 @@ msgstr "Tidak bisa memodifikasi grup - periksa apakah groupname sudah benar\n" msgid "Transaction error. Could not modify group.\n" msgstr "Kesalahan transaksi. Tidak bisa memodifikasi grup.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2037,70 +2051,70 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Hapus direktori home, dan spool mail" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Jangan hapus direktori home dan spool mail" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Paksa penghapusan berkas yang tidak dimiliki oleh pengguna" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Tentukan pengguna yang akan dihapus\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "Tidak menghapus home dir - tidak dimiliki oleh pengguna\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Tidak ada pengguna seperti itu di domain lokal. Menghapus pengguna hanya " "diperbolehkan dalam domain lokal.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Kesalahan internal. Tidak dapat menghapus pengguna.\n" @@ -2183,88 +2197,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2299,7 +2313,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2309,7 +2322,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2385,32 +2397,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2423,12 +2456,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2437,17 +2468,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2468,27 +2497,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2496,17 +2520,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2515,52 +2533,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2573,27 +2600,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2603,7 +2625,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2612,7 +2633,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2627,7 +2647,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2637,7 +2656,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2694,122 +2712,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/it.po b/po/it.po index 95bf67755f1..d01ff1b41c9 100644 --- a/po/it.po +++ b/po/it.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2019-03-06 08:57+0000\n" "Last-Translator: Milo Casagrande \n" "Language-Team: Italian (http://www.transifex.com/projects/p/sssd/language/" @@ -83,12 +83,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Timeout dei messaggi inviati tramite SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Espressione regolare per leggere nome utente e dominio" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Formato compatibile con printf per la visualizzazione di nomi completi" @@ -305,1287 +305,1301 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Provider di identità" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Provider di autenticazione" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Provider di access control" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Provider di cambio password" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "ID utente minimo" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "ID utente massimo" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Consentire l'enumerazione di tutti gli utenti/gruppi" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Salvare in cache le credenziali per login offline" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Mostrare utenti/gruppi in formato fully-qualified" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Durata timeout elementi in cache (secondi)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Restringere o preferire una specifica famiglia di indirizzi per l'esecuzione " "di lookup DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Per quanto tempo tenere in cache gli elementi dopo un login che ha avuto " "successo (giorni)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "Il tempo di attesa per le richieste DNS (secondi)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "L'interfaccia il cui indirizzo IP dovrebbe essere usato per aggiornamenti " "DNS dinamici." -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Dominio IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Indirizzo del server IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Hostname del client IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Filtro LDAP per determinare i privilegi di accesso" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Indirizzo del server Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Realm Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Timeout di autenticazione" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Directory in cui salvare le credenziali" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Percorso della cache delle credenziali utente" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Percorso del keytab per la validazione delle credenziali" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Abilita la validazione delle credenziali" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Intervallo di tempo tra due controlli di rinnovo" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Abilita FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Server dove viene eseguito il servizio di cambio password, se non nel KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, l'indirizzo del server LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Il base DN predefinito" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Lo Schema Type utilizzato dal server LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Il bind DN predefinito" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Il tipo di token di autenticazione del bind DN predefinito" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Il token di autenticazione del bind DN predefinito" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Durata del tentativo di connessione" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Durata del tentativo di esecuzione di operazioni LDAP sincrone" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Durata tra tentativi di riconnessione quando offline" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Usare solo maiuscole per i nomi dei realm" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "File contenente i certificati CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Percorso della directory dei cerficati della CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "File contenente il certificato client" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "File contenente la chiave client" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Lista delle possibili cipher suite" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Richiedere la verifica del certificato TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Specificare il meccanismo sasl da usare" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Specificare l'id di autorizzazione sasl da usare" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Keytab del servizio Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Usare autorizzazione Kerberos per la connessione LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Seguire i referral LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Metodo di deferenziazione degli alias" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Durata attesa per le richieste di ricerca" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Durata tra gli aggiornamenti alle enumeration" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Intervallo di tempo per la pulizia cache" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Richiedere TLS per gli ID lookup" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Base DN per i lookup utente" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Ambito di applicazione dei lookup utente" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filtro per i lookup utente" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass per gli utenti" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Attributo del nome utente" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Attributo UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Attributo del GID primario" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Attributo GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Attributo della home directory" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Attributo della shell" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Attributo user principal (per Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Nome completo" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Attributo memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Attributo data di modifica" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Politica per controllare la scadenza della password" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Lista separata da virgola degli utenti abilitati" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Lista separata da virgola degli utenti non abilitati" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Shell predefinita, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Base delle home directory" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Il nome della libreria NSS da usare" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Stack PAM da usare" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Esegui come demone (default)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Esegui interattivamente (non come demone)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Specificare un file di configurazione specifico" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Livello debug" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Includi timestamp di debug" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Un descrittore di file aperto per l'output di debug" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1593,146 +1607,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Dominio del provider di informazioni (obbligatorio)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "Il socket privilegiato ha permessi o propritario non validi." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "Il socket pubblico ha permessi o propritario non validi." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD non è eseguito da root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Messaggio del server:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Le password non coincidono" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Autenticato con le credenziali nella cache" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", la password in cache scadrà il: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "L'autenticazione verrà negata fino al: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Il sistema è offline, non è possibile richiedere un cambio password" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Cambio password fallito." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nuova password: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Conferma nuova password: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Password: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Password corrente: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Password scaduta. Cambiare la password ora." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Il livello di debug da utilizzare" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Errore di impostazione del locale\n" @@ -1748,27 +1762,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1820,21 +1834,21 @@ msgstr "Specificare un utente da aggiungere\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Errore durante l'inizializzazione degli strumenti - nessun dominio\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Errore durante l'inizializzazione degli strumenti\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Il dominio specificato nel FQDN non è valido\n" @@ -1855,7 +1869,7 @@ msgstr "I gruppi devono essere nello stesso dominio dell'utente\n" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Impossibile impostare i valori predefiniti\n" @@ -1934,7 +1948,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2005,15 +2019,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Errore della transazione. Impossibile modificare il gruppo.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magic Private " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2058,70 +2072,70 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Errore interno. Impossibile stampare il gruppo.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Eliminare home directory e spool di mail" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Non eliminare la home directory e lo spool di mail" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Forza la rimozione dei file non di proprietà dell'utente" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Specificare l'utente da cancellare\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "Home directory non eliminata - non appartiene all'utente\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Utente non presente nel dominio locale. L'eliminazione degli utenti è " "permessa solo nel dominio locale.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Errore interno. Impossibile rimuovere l'utente.\n" @@ -2204,88 +2218,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2320,7 +2334,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2330,7 +2343,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2406,32 +2418,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2444,12 +2477,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2458,17 +2489,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2489,27 +2518,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2517,17 +2541,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2536,52 +2554,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2594,27 +2621,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2624,7 +2646,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2633,7 +2654,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2648,7 +2668,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2658,7 +2677,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2715,122 +2733,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/nb.po b/po/nb.po index 30e5471fe0d..4b616074d61 100644 --- a/po/nb.po +++ b/po/nb.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:46+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Norwegian Bokmål (http://www.transifex.com/projects/p/sssd/" @@ -78,12 +78,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Tidsavbrudd for meldinger som sendes over SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -297,1280 +297,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Identitetstilbyder" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Autentiseringstilbyder" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Tilgangskontrolltilbyder" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Passordbyttetilbyder" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Minste bruker-ID" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Største bruker-ID" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA-domene" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA-tjeneradresse" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Vertsnavn for IPA-klient" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Tjeneradresse for Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Kerberos-område" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Tidsavbrudd for autentisering" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1578,146 +1592,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1733,27 +1747,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1805,21 +1819,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1840,7 +1854,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "" @@ -1917,7 +1931,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1979,15 +1993,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2030,68 +2044,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2170,88 +2184,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2286,7 +2300,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2296,7 +2309,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2372,32 +2384,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2410,12 +2443,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2424,17 +2455,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2455,27 +2484,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2483,17 +2507,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2502,52 +2520,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2560,27 +2587,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2590,7 +2612,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2599,7 +2620,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2614,7 +2634,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2624,7 +2643,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2681,122 +2699,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/nl.po b/po/nl.po index 256fc62c220..7c9399f674e 100644 --- a/po/nl.po +++ b/po/nl.po @@ -13,7 +13,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:47+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/" @@ -85,12 +85,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Timeout voor berichten die over SBUS worden verzonden" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Reguliere expressie om gebruikersnamen en domeinen te ontleden" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Printf-compatibel formaat voor het tonen van namen in volledige vorm" @@ -323,318 +323,328 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "Lijst met UID's of gebruikersnamen waarvoor toegang tot de PAC responder " "toegestaan is" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Identiteitaanbieder" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Authentiecatieaanbieder" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Toegangscontroleaanbieder" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Wachtwoordwijzigingsaanbieder" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "SUDO provider" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Autofs provider" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Host identity provider" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Minimum gebruiker ID" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Maximum gebruiker ID" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Schakel enumeratie van alle gebruikers/groepen" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Cache inloggegevens voor offline gebruik" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Laat gebruikers/groepen in volledige vorm zien" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "Neem groepsleden niet mee in groep zoekacties" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Entry cache timeout duur (in seconden)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Beperk of geef de voorkeur aan een specifieke adresfamilie wanneer er DNS-" "lookups uitgevoerd worden" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Hoe lang blijven gegevens opgeslagen na een succesvolle login (in dagen)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Hoe lang te wachten op antwoord van de DSN bij het opzoeken van servers (in " "seconden)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Het domeingedeelte van DNS queries die service discovery uitvoeren" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "Overschrijf GID waarde van de identiteit aanbieder met deze waarde" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Behandel gebruikersnamen als hoofdlettergevoelig" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Hoe vaak moeten verlopen ingangen op de achtergrond ververst worden" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Of de DNS ingang van de cliënt automatisch vernieuwd moet worden" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" "De TTL die toegepast moet worden op de DNS ingang van de cliënt na het " "vernieuwen hiervan" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "De adapter wiens IP-adres gebruikt moet worden voor het dynamisch bijwerken " "van de DNS" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Hoe vaak de DNS ingang van de client periodiek vernieuwd moet worden" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "Of de provider ook de PTR record expliciet moet vernieuwen" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Of het nsupdate hulpprogramma standaard TCP moet gebruiken" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Welke soort authenticatie moet gebruikt worden om de DNS vernieuwing uit te " "voeren" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA-domein" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA-serveradres" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Adres van back-up IPA server" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "IPA-clienthostname" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" "Of de DNS-gegevens van de client automatisch bijgewerkt moeten worden in " "FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Zoek basis voor HBAC gerelateerde objecten" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "De tijdsduur tussen het opzoeken van HBAC regels voor de IPA server" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" @@ -642,376 +652,376 @@ msgstr "" "De tijdsduur in seconden tussen zoekopdrachten in de SELinux mappen voor de " "IPA server" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" "Als dit op false ingesteld is, wordt het host argument gegeven door PAM " "genegeerd" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "De automounter locatie die door deze IPA client wordt gebruikt" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "Zoek in base voor object die info over IPA domein bevat " -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "Zoek in base voor objecten die info over ID bereiken bevat" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "Zet DNS sites aan - locatie gebaseerde service ontdekking" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Active Directory domein" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Active Directory server adres" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Active Directory back-up server adres" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Active Directory cliënt hostnaam" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "LDAP-filter om toegangsprivileges mee te bepalen" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Kerberos-serveradres" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Kerberos back-up server adres" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Kerberos-rijk" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Authenticatie timeout" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Moeten kdcinfo bestanden aangemaakt worden" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Werkmap waar authenticatiegegevens opgeslagen worden" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Locatie van de authenticatiecache van de gebruiker" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Locatie van de keytab om authenticatiegegevens te valideren" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Schakel authenticatiegegevensvalidatie in" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" "Sla het wachtwoord op indien offline voor later gebruik bij online " "authenticatie" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Vernieuwbare levensduur van de TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Levensduur van de TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Tijd tussen twee checks voor vernieuwing" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Zet FAST aan" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Selecteert de hoofdpersoon te gebruiken voor FAST " -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Zet hoofdpersoon sanctioneren aan" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Zet enterprise principals aan" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Server waar het wachtwoord wijzigingsservice draait indien niet op de KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, de URI van de LDAP server" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, De URI van de LDAP server" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "De standaard base DN" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Het schema type wat gebruikt wordt op de LDAP server, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "De standaard bind DN" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Het type authenticatietoken van de standaard bind DN" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Het authenticatietoken van de standaard bind DN" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Hoe lang pogen te verbinden" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Hoe lang proberen synchroon LDAP te benaderen" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" "Duur tussen pogingen om de verbinding opnieuw tot stand te brengen tijdens " "offline zijn" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Gebruik alleen hoofdletters voor gebiedsnamen" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Bestand dat de bekende CA-certificaten bevat" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Pad naar de CA-certificatenmap" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Bestand dat het client certificaat bevat" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Bestand dat de client sleutel bevat" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Lijst van mogelijke sleutel suites" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Vereis verificatie van het TLS-certificaat" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Geef het SASL-mechanisme op wat gebruikt moet worden" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Geef het SASL-authorisatie-ID op wat gebruikt moet worden" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Specificeer het te gebruiken sasl autorisatiegebied " -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Specificeer de minimale SSF voor LDAP sasl autorisatie" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Kerberos service keytab" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Gebruik Kerberos authenticatie voor LDAP-connectie" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Volg LDAP-doorverwijzingen" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Levensduur van TGT voor LDAP-connectie" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Hoe moet de alias referentie verwijderd worden" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Service naam voor DNS service opzoeken" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" "Het aantal records dat opgehaald moet worden met een enkele LDAP bevraging" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "Het aantal leden van moet ontbreken om een volledige de-referentie te " "veroorzaken" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1019,382 +1029,382 @@ msgstr "" "Moet de LDAP bibliotheek omgekeerd opzoeken uitvoeren om de hostnaam te " "autoriseren tijdens een SASL binding" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "entryUSN attribuut" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "lastUSN attribuut" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" "Hoe lang een verbinding met de LDAP server gebouden moet blijven voordat het " "losgekoppeld wordt" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Het LDAP paging besturingselement uitschakelen" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Zet Active Directory bereik opvragen uit" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Tijd om te wachten op een zoekopdracht" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Tijdsduur te wachten voor een opsommingsverzoek" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Tijd om te wachten tussen enumeratie-updates" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Tijdsduur tussen cache opschoningen" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Vereis TLS voor het opzoeken van ID's" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "Gebruik ID-mapping van objectSID gebruiken in plaats van pre-set ID's" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Base DN voor het opzoeken van gebruikers" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Scope voor het opzoeken van gebruikers" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filter voor het opzoeken van gebruikers" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass voor gebruikers" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Username-attribuut" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "UID-attribuut" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Primair GID-attribuut" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "GECOS-attribuut" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Gebruikersmap-attribuut" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Shell-attribuut" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "objectSID attribuut" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "Active Directory primaire groep attribuut voor ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Userprincipal-attribuut (voor Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Volledige naam" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "memberOf-attribuut" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Modification time-attribuut" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "shadowLastChange attribuut" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "shadowMin attribuut" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "shadowMax attribuut" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "shadowWarning attribuut" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "shadowInactive attribuut" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "shadowExpire attribuut" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "shadowFlag attribuut" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "Attribuut voor tonen van geautoriseerde PAM services" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Attribuut dat geautoriseerde server hosts toont" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "krbLastPwdChange attribuut" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "krbPasswordExpiration attribuut" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "Attribuut welke aangeeft dat wachtwoordtactiek op de server actief is" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "accountExpires attribuut van AD" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "userAccountControl attribuut van AD" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "nsAccountLock attribuut" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "loginDisabled attribuut van NDS" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "loginExpirationTime attribuut van NDS" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "loginAllowedTimeMap attribuut van NDS" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "SSH publieke sleutel attribuut" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "Basis DN voor groep opzoeken" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "Objectklasse voor groepen" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Groepsnaam" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Groep wachtwoord" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "GID attribuut" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Groep deelnemer attribuut" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Verandertijd attribuut voor groepen" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "Basis DN voor netgroep opzoeken" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Objectklasse voor netgroepen" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Netgroep naam" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Netgroep leden attribuut" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Netgroep triple attibuut" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Verandertijd attribuut voor netgroepen" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Basis DN voor service lookups" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Objectclass voor services" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Service naam attribuut" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Service port attribuut" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Service protocol attribuut" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Ondergrens voor ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Bovengrens voor ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "Aantal ID's voor elk segment bij ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "Gebruik autorid-compatibel algoritme voor ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Naam van het standaard domein voor ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID van het standaard domein voor ID-mapping" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Laagste grens instellen voor toegestane id's van de LDAP-server" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "Hoogste grens instellen voor toegestane id's van de LDAP-server" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Policy om wacthwoordverloop mee te evalueren" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" "Welke attributen worden gebruikt voor evaluatie als het account verlopen is" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" "Welke regels moeten gebruikt worden voor de evaluatie van toegangscontrole" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" "URI van een LDAP server waarop wachtwoord veranderingen toegestaan zijn" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" "URI van een back-up LDAP server waar wachtwoord veranderingen toegestaan zijn" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "DNS service naam voor LDAP wachtwoord verander server" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1402,23 +1412,23 @@ msgstr "" "Moet het ldap_user_shadow_last_change attribuut vernieuwd worden na een " "wachtwoordwijziging" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Basis DN voor sudo regels lookups" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Automatische volledige ververs periode" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Automatische slimme ververs periode" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "Moeten regels gefilterd worden volgens hostnaam, IP adres en netwerk" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1426,221 +1436,225 @@ msgstr "" "Hostnamen en/of volledig gekwalificeerde domeinnamen van deze machine voor " "het filteren van sudo regels" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "IPv4 of IPv6 adressen of netwerk van deze machine voor het filteren van sudo " "regels" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Moeten regels toegevoegd worden die netgroep bevatten in host attribuut " -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Moeten regels toegevoegd worden die regulaire expressie bevatten in host " "attribuut " -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Objectklasse voor sudo regels" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Sudo regelnaam" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Sudo regel opdracht attribuut" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Sudo regel host attribuut" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Sudo regel gebruiker attribuut" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Sudo regel optie attribuut" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "Sudo regel runasuser attribuut" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "Sudo regel runasgroup attribuut" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "Sudo regel notbefore attribuut" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "Sudo regel notafter attribuut" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Sudo regel volgorde attribuut" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Object class voor automounter maps" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Automounter map naam attribuut" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Objectklasse voor automounter map ingaven" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Automounter map sleutel ingave attribuut" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Automounter map ingavewaarde attribuut" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Basis DN voor automounter kaart opzoeken" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Kommagescheiden lijst van toegestane gebruikers" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Kommagescheiden lijst van geweigerde gebruikers" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Standaard shell, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Basis voor gebruikersmappen" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "De naam van de NSS-bibliotheek die gebruikt wordt" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "Moet indien mogelijk canonieke groepsnaam in cache opgezocht worden " -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "PAM-stack die gebruikt wordt" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Start in de achtergrond (standaard)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Start interactief (standaard)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Geef een niet-standaard configuratiebestand op" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Print versie nummer en sluit af" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Debug niveau" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Voeg tijdstempels toe aan debugberichten" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Toon tijdstempel met microseconden" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Een geopend bestand voor de debug logs" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1648,148 +1662,148 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Domein voor de informatie provider (verplicht)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "Socket met privileges heeft verkeerde rechten of eigendom." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "Publiek socket heeft verkeerde rechten of eigendom." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Onverwacht formaat van het inloggegevensbericht van de server." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD wordt niet door root gestart." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" "Er is een fout opgetreden, maar er kan geen omschrijving gevonden worden." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Onverwachtte fout bij het opzoeken van een omschrijving" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Serverbericht:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Wachtwoorden komen niet overeen" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "Wachtwoorden als root wijzigen wordt niet ondersteund." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Geauthenticeerd met gecachte inloggegevens." -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", uw wachtwoord verloopt op:" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" "Je wachtwoord is verlopen. Je hebt nog slechts %1$d login(s) beschikbaar." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Je wachtwoord zal verlopen in %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "Inloggen wordt geweigerd tot:" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Systeem is offline, wachtwoord wijzigen niet mogelijk" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Wijzigen van wachtwoord mislukt." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nieuw Wachtwoord: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Voer nieuw wachtwoord nogmaals in: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Wachtwoord: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Huidig wachtwoord:" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Wachtwoord verlopen. Verander nu uw wachtwoord." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Het debugniveau waarmee gestart wordt" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "Hrt te gebruiken SSSD domein" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Fout bij het zetten van de locale\n" @@ -1805,27 +1819,27 @@ msgstr "Gebruiker niet gespecificeerd\n" msgid "Error looking up public keys\n" msgstr "Fout bij het opzoeken van publieke sleutels\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "De te gebruiken poort voor het verbinden met de host" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Ongeldige poort\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Host niet gespecificeerd\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "Het pad naar het proxy commando moet absoluut zijn\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1877,21 +1891,21 @@ msgstr "Geef gebruiker op om toe te voegen\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Fout bij de initialisatie van de tools - geen lokaal domein\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Fout bij de initialisatie van de tools\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Verkeerd domein gespecificeerd in de FQDN\n" @@ -1915,7 +1929,7 @@ msgstr "" "Kan groep %1$s niet in lokale domein vinden\n" "\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Kan de standaardwaarden niet zetten\n" @@ -1992,7 +2006,7 @@ msgstr "Groep %1$s ligt buiten het gedefinieerde ID gebied voor domein\n" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2066,15 +2080,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Transactiefout. Kan de groep niet aanpassen.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGroep: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magic Private " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2123,75 +2137,75 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Interne fout. Kan de groep niet weergeven.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Verwijder gebruikersmap en postbestand" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Verwijder gebruikersmap en postbestand niet" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" "Forceer het verwijderen van bestanden die niet aan de gebruiker toebehoren" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" "Kill de processen van de gebruiker voordat de gebruiker verwijderd wordt" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Specificeer de te verwijderen gebruiker\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "Gebruiker %1$s ligt buiten het gedefinieerde ID bereik voor domein\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "Kan de SELinux logincontext niet herstellen\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "WAARSCHUWING: De gebruiker (uid %1$lu) was nog ingelogd bij het " "verwijderen.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "Kan niet bepalen of de gebruiker was ingelogd op dit platform" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Fout bij het controleren of de gebruiker was ingelogd\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "Het post-verwijder commando mislukte: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" "De gebruikersmap wordt niet verwijderd - de gebruiker is geen eigenaar\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "Kan persoonlijke map niet verwijderen: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Gebruiker bestaat niet in het lokale domein. Het verwijderen van gebruikers " "is alleen in het lokale domein toegestaan.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Interne fout. Kan de gebruiker niet verwijderen.\n" @@ -2275,81 +2289,81 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Maak bepaalde gebruiker ongeldig" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Maak alle gebruikers ongeldig" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Maak bepaalde groep ongeldig" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Maak alle groepen ongeldig" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Maak bepaalde netgroep ongeldig" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Maak alle netgroepen ongeldig" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Maak bepaalde service ongeldig " -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Maak alle services ongeldig" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Maak bepaalde autofs map ongeldig" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Maak alle autofs mappen ongeldig" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Maak alleen ingangen van een bepaald domein ongeldig" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Selecteer tenminste een object om ongeldig te maken\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2359,7 +2373,7 @@ msgstr "" "is, gebruik dan de volledig gekwalificeerde naam in plaats van --domain/-d " "parameter.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "Kon beschikbare domeinen niet openen\n" @@ -2394,7 +2408,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2404,7 +2417,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2480,32 +2492,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2518,12 +2551,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2532,17 +2563,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2563,27 +2592,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2591,17 +2615,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2610,52 +2628,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2668,27 +2695,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2698,7 +2720,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2707,7 +2728,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2722,7 +2742,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2732,7 +2751,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2789,122 +2807,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/pl.po b/po/pl.po index 250c3469f39..c5ca94f8e00 100644 --- a/po/pl.po +++ b/po/pl.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2019-08-26 02:06+0000\n" "Last-Translator: Piotr Drąg \n" "Language-Team: Polish (http://www.transifex.com/projects/p/sssd/language/" @@ -90,12 +90,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Czas oczekiwania na komunikaty wysyłane przez SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Wyrażenie regularne do przetworzenia nazwy użytkownika i domeny" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Format zgodny z printf do wyświetlania w pełni kwalifikowanych nazw" @@ -331,55 +331,65 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "Ścieżka do miejsca przechowywania zaufanych certyfikatów CA" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "Lista UID lub nazw użytkowników mających dostęp do programu odpowiadającego " "PAC" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "Jak długo dane PAC są uważane za prawidłowe" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "Lista UID lub nazw użytkowników mających dostęp do programu odpowiadającego " "InfoPipe" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "Lista atrybutów użytkownika, które InfoPipe może publikować" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "Dostawca przechowujący hasła" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "Maksymalnie dozwolona liczba zagnieżdżonych kontenerów" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "Maksymalna liczba przechowywanych haseł" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "Maksymalna liczba haseł przechowywanych na UID" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "Maksymalny rozmiar ładunku hasła w kilobajtach" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "Adres URL Custodia, który serwer nasłuchuje" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "Metoda używana podczas uwierzytelniania z serwerem Custodia" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" @@ -387,37 +397,37 @@ msgstr "" "Nazwa nagłówków dodawanych do żądania HTTP z wartością określoną " "w auth_header_value" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "Wartość, którą sssd-secrets używałoby dla auth_header_name" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "Lista nagłówków do przekazania do serwera Custodia razem z żądaniem" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" "Nazwa użytkownika używana podczas uwierzytelniania z serwerem Custodia za " "pomocą basic_auth" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" "Hasło używane podczas uwierzytelniania z serwerem Custodia za pomocą " "basic_auth" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" "Czy certyfikat prawdziwego partnera jest weryfikowany, jeśli proxy_url używa " "protokołu HTTPS" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" @@ -425,110 +435,110 @@ msgstr "" "Czy certyfikat fałszywego partnera może zawierać inną nazwę komputera niż " "proxy_url, kiedy używany jest protokół HTTPS" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "Ścieżka do katalogu z certyfikatami CA" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "Ścieżka do pliku zawierającego certyfikat CA serwera" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "Ścieżka do pliku zawierającego certyfikat klienta" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "Ścieżka do pliku zawierającego klucz prywatny klienta" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Dostawca tożsamości" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Dostawca uwierzytelniania" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Dostawca kontroli dostępu" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Dostawca zmiany hasła" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "Dostawca SUDO" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Dostawca Autofs" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Dostawca tożsamości komputera" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "Dostawca SELinuksa" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "Dostawca zarządzania sesją" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "Czy domena jest używalna przez system operacyjny lub aplikacje" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Minimalny identyfikator użytkownika" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Maksymalny identyfikator użytkownika" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Włącza wyliczanie wszystkich użytkowników/grup" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Dane uwierzytelniające pamięci podręcznej dla logowań w trybie offline" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Wyświetla użytkowników/grupy w pełni kwalifikowanej formie" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "Bez dołączania członków grup w wyszukiwaniach grup" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Czas oczekiwania pamięci podręcznej wpisów (sekundy)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Ogranicza lub preferuje podaną rodzinę adresów podczas wykonywania " "wyszukiwań DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Jak długo utrzymywać wpisy logowania w pamięci podręcznej po ostatnim udanym " "zalogowaniu (dni)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" @@ -536,197 +546,197 @@ msgstr "" "Jak długo SSSD ma komunikować się z jednym serwerem DNS przed spróbowaniem " "następnego serwera (milisekundy)" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "Jak długo próbować rozwiązać jedno zapytanie DNS (sekundy)" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Jak długo czekać na odpowiedzi od serwera DNS podczas rozwiązywania serwerów " "(sekundy)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Część domeny zapytania DNS wykrywania usługi" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "Zastępuje wartość GID z dostawcy tożsamości tą wartością" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Rozróżnianie wielkości liter w nazwach użytkowników" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Jak często odświeżać w tle wygasłe wpisy" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Czy automatycznie aktualizować wpis DNS klienta" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "TTL do zastosowania do wpisu DNS klienta po jego zaktualizowaniu" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "Interfejs, którego adres IP ma być używany do dynamicznych aktualizacji DNS" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Jak często okresowo aktualizować wpis DNS klienta" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "Określa, czy dostawca ma aktualizować także wpis PTR" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Określa, czy narzędzie nsupdate ma domyślnie używać portu TCP" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Jakiego rodzaju uwierzytelnianie ma być używane do wykonywania aktualizacji " "DNS" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "Zastępuje serwer DNS używany do wykonywania aktualizacji DNS" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Kontrola wyliczania zaufanych domen" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Jak często odświeżać listę poddomen" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "Lista opcji dziedziczonych przez poddomenę" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "Domyślna wartość katalogu domowego poddomeny" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" "Jak długo dane uwierzytelniania w pamięci podręcznej mogą być używane do " "uwierzytelniania w pamięci podręcznej" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "Czy automatycznie tworzyć prywatne grupy dla użytkowników" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Domena IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Adres serwera IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Adres zapasowego serwera IPA" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Nazwa komputera klienta IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" "Czy automatycznie aktualizować wpis DNS klienta w oprogramowaniu FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Podstawa wyszukiwania pod kątem obiektów związanych z HBAC" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "Czas między wyszukiwaniami reguł HBAC w serwerze IPA" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "Czas w sekundach między wyszukiwaniami map SELinuksa w serwerze IPA" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" "Jeśli ustawiono na fałsz, to parametr komputera podany przez PAM zostanie " "zignorowany" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "Położenie automountera, którego używa ten klient IPA" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" "Podstawa wyszukiwania dla obiektów zawierających informacje o domenie IPA" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" "Podstawa wyszukiwania dla obiektów zawierających informacje o zakresach " "identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "Włącza witryny DNS — wykrywanie usług na podstawie położenia" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "Podstawa wyszukiwania dla widoku kontenerów" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "Klasa obiektu dla widoku kontenerów" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "Atrybut z nazwą widoku" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "Klasa obiektu dla obiektów zastępowania" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "Atrybut z odniesieniem do pierwotnego obiektu" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "Klasa obiektu dla obiektów zastępowania użytkownika" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "Klasa obiektów dla obiektów zastępowania grup" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "Podstawa wyszukiwania pod kątem obiektów związanych z profilem pulpitu" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" "Czas w sekundach między wyszukiwaniami reguł profilu pulpitu w serwerze IPA" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" @@ -734,46 +744,46 @@ msgstr "" "Czas w minutach między wyszukiwaniami reguł profilów pulpitu w serwerze IPA, " "kiedy ostatnie żądanie nie odnalazło żadnej reguły" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Domena Active Directory" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "Włączone domeny Active Directory" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Adres serwera Active Directory" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Adres zapasowego serwera Active Directory" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Nazwa komputera klienta Active Directory" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Filtr LDAP do określenia uprawnień dostępu" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Czy używać Global Catalog do wyszukiwań" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Tryb działania dla kontroli dostępu opartej na GPO" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "Czas między wyszukiwaniami plików polityki GPO w serwerze AD" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" @@ -781,7 +791,7 @@ msgstr "" "Nazwy usług PAM mapujących do ustawień polityki GPO " "(Deny)InteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" @@ -789,263 +799,263 @@ msgstr "" "Nazwy usług PAM mapujących do ustawień polityki GPO " "(Deny)RemoteInteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" "Nazwy usług PAM mapujących do ustawień polityki GPO (Deny)NetworkLogonRight" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" "Nazwy usług PAM mapujących do ustawień polityki GPO (Deny)BatchLogonRight" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" "Nazwy usług PAM mapujących do ustawień polityki GPO (Deny)ServiceLogonRight" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" "Nazwy usług PAM, dla których zawsze udzielany jest dostęp oparty na GPO" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" "Nazwy usług PAM, dla których zawsze odmawiany jest dostęp oparty na GPO" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" "Domyślne uprawnienie logowania (lub zezwolenie/odmowa) do użycia dla " "niemapowanych nazw usług PAM" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "konkretna strona używana przez klienta" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" "Maksymalny wiek w dniach przed wymaganiem odnowienia hasła konta komputera" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "Opcja dostrajania zadania odnawiania konta komputera" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Adres serwera Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Adres zapasowego serwera Kerberos" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Obszar Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Czas oczekiwania na uwierzytelnienie" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Określa, czy tworzyć pliki kdcinfo" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "Gdzie umieścić wstawki konfiguracji krb5" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" "Katalog do przechowywania pamięci podręcznych danych uwierzytelniających" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Położenie pamięci podręcznej danych uwierzytelniających użytkownika" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Położenie tablicy kluczy do sprawdzania danych uwierzytelniających" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Włącza sprawdzanie danych uwierzytelniających" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" "Przechowuje hasło, jeśli w trybie offline do późniejszego uwierzytelnienia " "w trybie online" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Odnawialny czas trwania TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Czas trwania TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Czas między dwoma sprawdzaniami odnowy" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Włącza FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Wybiera naczelnika do użycia dla FAST" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Włącza ujednolicanie naczelnika" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Włącza naczelników enterprise" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "Mapa nazw użytkowników do nazw naczelników Kerberos" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Serwer, w którym jest uruchomiona usługa zmiany haseł, jeśli nie znajduje " "się w KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, adres URI serwera LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, adres URI serwera LDAP" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Domyślna podstawowa DN" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Typ Schema do użycia na serwerze LDAP, RFC2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "Tryb używany do zmiany hasła użytkownika" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Domyślne DN dowiązania" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Typ tokenu uwierzytelniania domyślnego DN dowiązania" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Token uwierzytelniania domyślnego DN dowiązania" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Czas do próby połączenia" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Czas do próby synchronicznych działań LDAP" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Czas między próbami ponownego połączenia w trybie offline" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Użycie tylko wielkich znaków w nazwach obszarów" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Plik zawierający certyfikaty CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Ścieżka do katalogu certyfikatów CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Plik zawierający certyfikat klienta" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Plik zawierający klucz klienta" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Lista możliwych zestawów szyfrów" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Wymaga sprawdzenia certyfikatu TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Podaje używany mechanizm SASL" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Podaje używany identyfikator upoważnienia SASL" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Podaje obszar upoważnienia SASL do użycia" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Podaje minimalne SSF dla upoważnienia sasl LDAP" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Tablica kluczy usługi Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Używa uwierzytelniania Kerberos dla połączenia LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Podąża za odsyłaniami LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Czas trwania TGT dla połączenia LDAP" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Jak wskazywać aliasy" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Nazwa usługi do wyszukiwań usługi DNS" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "Liczba wpisów do pobrania w jednym zapytaniu LDAP" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "Suma liczb, których musi brakować, aby wywołać pełne „deref”" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1053,381 +1063,381 @@ msgstr "" "Określa, czy biblioteka LDAP ma wykonywać odwrotne wyszukanie, aby " "ujednolicić nazwę komputera podczas dowiązania SASL" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "Atrybut entryUSN" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "Atrybut lastUSN" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "Jak długo utrzymywać połączenie z serwerem LDAP przed rozłączeniem" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Wyłącza kontrolę stronicowania LDAP" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Wyłącza pobieranie zakresu Active Directory" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Czas oczekiwania na żądanie wyszukiwania" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Czas oczekiwania na żądanie wyliczenia" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Czas między aktualizacjami wyliczania" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Czas między czyszczeniem pamięci podręcznej" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Wymaga TLS dla wyszukiwania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" "Używa mapowania identyfikatorów objectSID zamiast uprzednio ustawionych " "identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Podstawowe DN dla wyszukiwania użytkowników" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Zakres wyszukiwania użytkowników" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filtruje wyszukiwania użytkowników" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Klasa obiektów dla użytkowników" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Atrybut nazwy użytkownika" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Atrybut UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Pierwszy atrybut GID" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Atrybut GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Atrybut katalogu domowego" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Atrybut powłoki" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "Atrybut UUID" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "Atrybut objectSID" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "Atrybut głównej grupy Active Directory dla mapowania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Atrybut głównego użytkownika (dla Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Imię i nazwisko" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Atrybut memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Atrybut czasu modyfikacji" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "Atrybut shadowLastChange" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "Atrybut shadowMin" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "Atrybut shadowMax" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "Atrybut shadowWarning" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "Atrybut shadowInactive" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "Atrybut shadowExpire" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "Atrybut shadowFlag" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "Atrybut zawierający listę upoważnionych usług PAM" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Atrybut zawierający listę upoważnionych komputerów serwerowych" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "Atrybut zawierający listę upoważnionych rhosts serwera" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "Atrybut krbLastPwdChange" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "Atrybut krbPasswordExpiration" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "Atrybut wskazujący, czy polityki haseł po stronie serwera są aktywne" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "Atrybut accountExpires AD" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "Atrybut userAccountControl AD" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "Atrybut nsAccountLock" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "Atrybut loginDisabled NDS" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "Atrybut loginExpirationTime NDS" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "Atrybut loginAllowedTimeMap NDS" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "Atrybut klucza publicznego SSH" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" "atrybut zawierający listę dozwolonych typów uwierzytelniania dla użytkownika" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "atrybut zawierający certyfikat X509 użytkownika" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "atrybut zawierający adres e-mail użytkownika" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "Lista dodatkowych atrybutów do pobrania razem z wpisem użytkownika" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "Podstawowe DN dla wyszukiwania grup" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "Klasa obiektów dla grup" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Nazwa grupy" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Hasło grupy" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "Atrybut GID" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Atrybut elementu grupy" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "Atrybut UUID grupy" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Atrybut czasu modyfikacji grup" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Typ grupy i inne flagi" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "Atrybut zewnętrznego członka grupy LDAP" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "Maksymalny poziom zagnieżdżenia, jaki usługa SSSD będzie używała" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "Podstawowe DN dla wyszukiwania grupy sieciowej" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Klasa obiektów dla grup sieciowych" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Nazwa grupy sieciowej" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Atrybut elementów grupy sieciowej" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Potrójny atrybut grupy sieciowej" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Atrybut czasu modyfikacji grup sieciowych" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Podstawowe DN do wyszukiwania usług" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Klasa obiektów dla usług" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Atrybut nazwy usługi" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Atrybut portu usługi" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Atrybut protokołu usługi" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Niższa granica dla mapowania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Wyższa granica dla mapowania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" "Liczba identyfikatorów dla każdego fragmentu podczas mapowania " "identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "Używa algorytmu zgodnego z autorid do mapowania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Nazwa domyślnej domeny dla mapowania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID domyślnej domeny dla mapowania identyfikatorów" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "Liczba drugorzędnych fragmentów" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Czy używać Token-Groups" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Ustawia dolną granicę dla dozwolonych identyfikatorów z serwera LDAP" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "Ustawia górną granicę dla dozwolonych identyfikatorów z serwera LDAP" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "DN dla zapytań polityki" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "Ile maksymalnie wpisów pobierać podczas żądania z wieloznacznikiem" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Polityka do oszacowania wygaszenia hasła" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "Które atrybuty mają być używane do sprawdzenia, czy konto wygasło" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "Które reguły mają być używane do sprawdzania kontroli dostępu" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "Adres URI serwera LDAP, gdzie zmiany hasła są dozwolone" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "Adres URI zapasowego serwera LDAP, gdzie zmiany hasła są dozwolone" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "Nazwa usługi DNS serwera zmiany hasła LDAP" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1435,24 +1445,24 @@ msgstr "" "Określa, czy zaktualizować atrybut ldap_user_shadow_last_change po zmianie " "hasła" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Podstawowe DN dla wyszukiwań reguł sudo" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Okres między automatycznymi pełnymi odświeżeniami" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Okres między automatycznymi inteligentnymi odświeżeniami" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" "Określa, czy filtrować reguły według nazwy komputera, adresów IP i sieci" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1460,223 +1470,227 @@ msgstr "" "Nazwy komputerów lub w pełni kwalifikowane nazwy domen tego komputera do " "filtrowania reguł sudo" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "Adresy lub sieci IPv4 lub IPv6 tego komputera do filtrowania reguł sudo" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Określa, czy zawierać reguły zawierające grupy sieciowe w atrybucie komputera" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Określa, czy zawierać reguły zawierające wyrażenia regularne w atrybucie " "komputera" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Klasa obiektów dla reguł sudo" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Nazwa reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Atrybut polecenia reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Atrybut komputera reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Atrybut użytkownika reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Atrybut opcji reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "Atrybut runas reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "Atrybut runasuser reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "Atrybut runasgroup reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "Atrybut notbefore reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "Atrybut notafter reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Atrybut kolejności reguły sudo" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Klasa obiektów dla map automountera" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Atrybut nazwy mapy automountera" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Klasa obiektów dla wpisów map automountera" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Atrybut klucza wpisu mapy automountera" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Atrybut wartości wpisu mapy automountera" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Podstawowe DN dla wyszukiwań map automountera" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Lista dozwolonych użytkowników oddzielonych przecinkami" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Lista zabronionych użytkowników oddzielonych przecinkami" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Domyślna powłoka, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Podstawa katalogów domowych" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "Liczba elementów potomnych pośrednika przed rozwidleniem." -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Nazwa używanej biblioteki NSS" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" "Określa, czy wyszukiwać kanoniczną nazwę grupy w pamięci podręcznej, jeśli " "to możliwe" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Używany stos PAM" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "Ścieżka źródeł pliku „passwd”." -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "Ścieżka źródeł pliku „group”." -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Uruchamia jako usługa (domyślnie)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Uruchamia interaktywnie (nie jako usługa)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "Wyłącza interfejs netlink" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Podaje niedomyślny plik konfiguracji" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "Odświeża bazę danych konfiguracji, a następnie kończy działanie" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "Podobne do --genconf, ale odświeża tylko podaną sekcję" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Wyświetla numer wersji i kończy działanie" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "Usługa SSSD jest już uruchomiona\n" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Poziom debugowania" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Dodaje czasy debugowania" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Wyświetlanie dat z mikrosekundami" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Otwiera deskryptor pliku dla dzienników debugowania" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" "Wysyła wyjście debugowania bezpośrednio do standardowego wyjścia błędów." -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "Użytkownik, jako który utworzyć ccache FAST" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "Grupa, jako którą utworzyć ccache FAST" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "Używany obszar Kerberosa" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "Żądany czas trwania biletu" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "Żądany odnawialny czas trwania biletu" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "Opcje FAST („never”, „try”, „demand”)" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "Podaje naczelnika serwera używanego dla FAST" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "Żąda ujednolicenie nazwy naczelnika" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "Użycie niestandardowej wersji krb5_get_init_creds_password" @@ -1684,82 +1698,82 @@ msgstr "Użycie niestandardowej wersji krb5_get_init_creds_password" msgid "Domain of the information provider (mandatory)" msgstr "Domena dostawcy informacji (wymagane)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "Uprawnione gniazdo ma błędnego właściciela lub uprawnienia." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "Publiczne gniazdo ma błędnego właściciela lub uprawnienia" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Nieoczekiwany format komunikatu uwierzytelniającego serwera." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD nie zostało uruchomione w trybie roota." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "Gniazdo SSSD nie istnieje." -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "Nie można wykonać „stat” na gnieździe SSSD." -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Wystąpił błąd, ale nie odnaleziono jego opisu." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Nieoczekiwany błąd podczas wyszukiwania opisu błędu" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "Odmowa uprawnienia." -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Komunikat serwera: " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Hasła się nie zgadzają" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "Przywrócenie hasła przez użytkownika root nie jest obsługiwane." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Uwierzytelniono za pomocą danych z pamięci podręcznej" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", hasło w pamięci podręcznej wygaśnie za: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "Hasło wygasło. Pozostało %1$d możliwych logowań." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Hasło wygaśnie za %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "Uwierzytelnianie jest zabronione do: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "System jest w trybie offline, zmiana hasła nie jest możliwa" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1767,65 +1781,65 @@ msgstr "" "Po zmianie hasła OTP należy się wylogować i zalogować ponownie, aby uzyskać " "bilet" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Zmiana hasła się nie powiodła. " -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nowe hasło: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Proszę ponownie podać nowe hasło: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "Pierwszy czynnik: " -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "Drugi czynnik (opcjonalnie): " -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "Drugi czynnik: " -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Hasło: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "Pierwszy czynnik (obecne hasło): " -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Bieżące hasło: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Hasło wygasło. Proszę je zmienić teraz." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Poziom debugowania, z jakim uruchomić" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "Używana domena SSSD" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Błąd podczas ustawiania lokalizacji\n" @@ -1841,27 +1855,27 @@ msgstr "Nie podano użytkownika\n" msgid "Error looking up public keys\n" msgstr "Błąd podczas wyszukiwania kluczy publicznych\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "Port do użycia do połączenia z komputerem" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "Wyświetla publiczne klucze SSH komputera" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Nieprawidłowy port\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Nie podano komputera\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "Ścieżka do polecenia pośrednika musi być bezwzględna\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "sss_ssh_knownhostsproxy: nie można rozwiązać nazwy komputera %s\n" @@ -1913,21 +1927,21 @@ msgstr "Proszę podać użytkownika do dodania\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Błąd podczas inicjowania narzędzi — brak lokalnej domeny\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Błąd podczas inicjowania narzędzi\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Podano nieprawidłową domenę w FQDN\n" @@ -1948,7 +1962,7 @@ msgstr "Grupy muszą być w tej samej domenie co użytkownik\n" msgid "Cannot find group %1$s in local domain\n" msgstr "Nie można odnaleźć grupy %1$s w lokalnej domenie\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Nie można ustawić domyślnych wartości\n" @@ -2029,7 +2043,7 @@ msgstr "Grupa %1$s jest poza określonym zakresem identyfikatorów dla domeny\n" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2102,15 +2116,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Błąd transakcji. Nie można zmodyfikować grupy.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Prywatne magic " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGrupa: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Prywatne magic " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2159,73 +2173,73 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Wewnętrzny błąd. Nie można wydrukować grupy.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Usuwa katalog domowy i bufor poczty" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Nie usuwa katalogu domowego i bufora poczty" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Wymusza usunięcie plików, których właścicielem nie jest użytkownik" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Usuwa procesy użytkownika przed jego usunięciem" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Proszę podać użytkownika do usunięcia\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" "Użytkownik %1$s jest poza określonym zakresem identyfikatorów dla domeny\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "Nie można przywrócić kontekstu loginu SELinuksa\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "OSTRZEŻENIE: użytkownik (UID %1$lu) był zalogowany podczas jego usunięcia.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "Nie można określić, czy użytkownik był zalogowany na tej platformie" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Błąd podczas sprawdzania, czy użytkownik był zalogowany\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "Polecenie po usunięciu nie powiodło się: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" "Katalog domowy nie zostanie usunięty — użytkownik nie jest właścicielem\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "Nie można usunąć katalogu domowego: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Nie ma takiego użytkownika w lokalnej domenie. Usuwanie użytkowników jest " "dozwolone tylko w lokalnej domenie.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Wewnętrzny błąd. Nie można usunąć użytkownika.\n" @@ -2313,71 +2327,71 @@ msgstr "Nie można unieważnić %1$s\n" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "Nie można unieważnić %1$s %2$s\n" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "Unieważnia wszystkie wpisy w pamięci podręcznej" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Unieważnia podanego użytkownika" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Unieważnia wszystkich użytkowników" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Unieważnia podaną grupę" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Unieważnia wszystkie grupy" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Unieważnia podaną grupę sieciową" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Unieważnia wszystkie grupy sieciowe" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Unieważnia podaną usługę" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Unieważnia wszystkie usługi" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Unieważnia podaną mapę autofs" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Unieważnia wszystkie mapy autofs" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "Unieważnia konkretny komputer SSH" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "Unieważnia wszystkie komputery SSH" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "Unieważnia podaną regułę sudo" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "Unieważnia wszystkie reguły sudo w pamięci podręcznej" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Unieważnia wpisy tylko z podanej domeny" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" @@ -2385,11 +2399,11 @@ msgstr "" "Podano nieoczekiwane parametry, opcje unieważniające jeden obiekt przyjmują " "tylko jeden podany parametr.\n" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Proszę wybrać co najmniej jeden obiekt do unieważnienia\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2399,7 +2413,7 @@ msgstr "" "domeną), należy użyć w pełni kwalifikowanej nazwy zamiast parametru --" "domain/-d.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "Nie można otworzyć dostępnych domen\n" @@ -2434,7 +2448,6 @@ msgid "Invalid result." msgstr "Nieprawidłowy wynik." #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "Nie można odczytać wejścia użytkownika\n" @@ -2444,7 +2457,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "Nieprawidłowe wejście, proszę podać „%s” lub „%s”.\n" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "Błąd podczas wykonywania polecenia zewnętrznego\n" @@ -2520,36 +2532,58 @@ msgstr "Czas wygaśnięcia grup inicjacji" msgid "Search by group ID" msgstr "Wyszukuje według identyfikatorów grup" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 +#, fuzzy, c-format +msgid "Failed to open %s\n" +msgstr "Nie można przetworzyć nazwy %s.\n" + +#: src/tools/sssctl/sssctl_config.c:75 +#, fuzzy, c-format +msgid "File %1$s does not exist.\n" +msgstr "Gniazdo SSSD nie istnieje." + +#: src/tools/sssctl/sssctl_config.c:79 +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Sprawdzenie właściciela i uprawnień pliku się nie powiodło. Oczekiwano root:" +"root i 0600.\n" + +#: src/tools/sssctl/sssctl_config.c:85 #, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +#, fuzzy msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " +"There is no configuration. SSSD will use default configuration with files " "provider.\n" msgstr "" "Plik %1$s nie istnieje. Usługa SSSD użyje domyślnej konfiguracji z dostawcą " "plików.\n" -#: src/tools/sssctl/sssctl_config.c:81 -#, c-format -msgid "" -"File ownership and permissions check failed. Expected root:root and 0600.\n" +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" msgstr "" -"Sprawdzenie właściciela i uprawnień pliku się nie powiodło. Oczekiwano root:" -"root i 0600.\n" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "Problemy zidentyfikowane przez programy sprawdzające poprawność: %zu\n" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "Komunikaty utworzone podczas łączenia konfiguracji: %zu\n" -#: src/tools/sssctl/sssctl_config.c:127 -#, c-format -msgid "Used configuration snippet files: %u\n" +#: src/tools/sssctl/sssctl_config.c:137 +#, fuzzy, c-format +msgid "Used configuration snippet files: %zu\n" msgstr "Użyte pliki wstawek konfiguracji: %u\n" #: src/tools/sssctl/sssctl_data.c:89 @@ -2562,12 +2596,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "Kopia zapasowa SSSD lokalnych danych już istnieje, zastąpić?" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "Nie można wyeksportować zastąpień użytkownika\n" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "Nie można wyeksportować zastąpień grupy\n" @@ -2576,17 +2608,15 @@ msgid "Override existing backup" msgstr "Zastępuje istniejącą kopię zapasową" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "Nie można zaimportować zastąpień użytkownika\n" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "Nie można zaimportować zastąpień grupy\n" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "Uruchamia usługę SSSD, jeśli nie jest uruchomiona" @@ -2607,29 +2637,24 @@ msgid "Start SSSD when the cache is removed" msgstr "Uruchamia usługę SSSD po usunięciu pamięci podręcznej" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "Tworzenie kopii zapasowej lokalnych danych…\n" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" "Nie można utworzyć kopii zapasowej lokalnych danych, nie można usunąć " "pamięci podręcznej.\n" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "Usuwanie plików pamięci podręcznej…\n" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "Nie można usunąć plików pamięci podręcznej\n" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "Przywracanie lokalnych danych…\n" @@ -2637,17 +2662,11 @@ msgstr "Przywracanie lokalnych danych…\n" msgid "Show domain list including primary or trusted domain type" msgstr "Wyświetla listę domen, w tym główny i zaufany typ domeny" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "Nie można połączyć się z magistralą systemową.\n" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "Stan online: %s\n" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "Online" @@ -2656,52 +2675,62 @@ msgstr "Online" msgid "Offline" msgstr "Offline" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "Stan online: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:213 +#, fuzzy +msgid "This domain has no active servers.\n" +msgstr "Wyświetla informacje o aktywnym serwerze" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "Aktywne serwery:\n" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "nie połączono" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "Wykryte serwery (%s):\n" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "Jeszcze nic.\n" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "Wyświetla stan online" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "Wyświetla informacje o aktywnym serwerze" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "Wyświetla listę wykrytych serwerów" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "Należy podać nazwę domeny." -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "Brak pamięci.\n" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "Nie można uzyskać stanu online\n" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "Nie można uzyskać listy serwerów\n" @@ -2714,27 +2743,22 @@ msgid "Delete log files instead of truncating" msgstr "Usuwa pliki dziennika zamiast ich skracania" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "Usuwanie plików dziennika…\n" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "Nie można usunąć plików dziennika\n" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "Skracanie plików dziennika…\n" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "Nie można skrócić plików dziennika\n" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "Brak pamięci." @@ -2744,7 +2768,6 @@ msgid "Archiving log files into %s...\n" msgstr "Archiwizowanie plików dziennika w %s…\n" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "Nie można zarchiwizować plików dziennika\n" @@ -2753,7 +2776,6 @@ msgid "Specify debug level you want to set" msgstr "Podaje poziom debugowania do ustawienia" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "Wynik wyszukiwania użytkownika InfoPipe usługi SSSD:\n" @@ -2768,7 +2790,6 @@ msgid "dlsym failed with [%s].\n" msgstr "dlsym się nie powiodło z [%s].\n" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "malloc się nie powiodło.\n" @@ -2778,7 +2799,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "sss_getpwnam_r się nie powiodło z [%d].\n" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "Wynik wyszukiwania użytkownika NSS usługi SSSD:\n" @@ -2841,23 +2861,22 @@ msgstr "" "usługa: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "Wyszukanie nazwy użytkownika [%s] się nie powiodło.\n" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "InfoPipe Wyszukanie użytkownika z [%s] się nie powiodło.\n" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "pam_start się nie powiodło: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" @@ -2865,12 +2884,12 @@ msgstr "" "testowanie pam_authenticate\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "pam_get_item się nie powiodło: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" @@ -2879,8 +2898,7 @@ msgstr "" "pam_authenticate dla użytkownika [%s]: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" @@ -2888,7 +2906,7 @@ msgstr "" "testowanie pam_chauthtok\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" @@ -2897,8 +2915,7 @@ msgstr "" "pam_chauthtok: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" @@ -2906,7 +2923,7 @@ msgstr "" "testowanie pam_acct_mgmt\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" @@ -2915,8 +2932,7 @@ msgstr "" "pam_acct_mgmt: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" @@ -2924,7 +2940,7 @@ msgstr "" "testowanie pam_setcred\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" @@ -2933,8 +2949,7 @@ msgstr "" "pam_setcred: [%s]\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" @@ -2942,7 +2957,7 @@ msgstr "" "testowanie pam_open_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" @@ -2951,8 +2966,7 @@ msgstr "" "pam_open_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" @@ -2960,7 +2974,7 @@ msgstr "" "testowanie pam_close_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" @@ -2969,18 +2983,15 @@ msgstr "" "pam_close_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "nieznane działanie\n" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "Środowisko PAM:\n" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr " — brak środowiska —\n" diff --git a/po/pt.po b/po/pt.po index aeface30156..6f983d38af7 100644 --- a/po/pt.po +++ b/po/pt.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:47+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/" @@ -77,12 +77,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Limite de tempo para mensagens enviadas sobre SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Expressão regular para obter nome do utilizar e domínio" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Formato compatível com o printf para apresentar nomes completos" @@ -301,1286 +301,1300 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Fornecedor de identidade" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Fornecedor de autenticação" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Fornecedor de controle de acesso" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Fornecedor de Alteração de Senha" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "ID de utilizador mínimo" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "ID de utilizador máximo" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Permitir enumeração de todos os utilizadores/grupos" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Efectuar cache de credenciais para sessões em modo desligado" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Apresentar utilizadores/grupos na forma completa" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Validade da cache (segundos)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Restringir ou preferir famílias de endereços especificas quando efectua " "consultas DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Durante quanto tempo devem ser permitidas as caches de sessões entre sessões " "bem sucedidas (dias)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Domínio IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Endereço do servidor IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Nome da máquina do cliente IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Endereço do servidor Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Reino Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Tempo de expiração da autenticação" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Directório para armazenar as caches de credenciais" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Localização da cache de credenciais dos utilizadores" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Localização da tabela de chaves (keytab) para validar credenciais" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Activar validação de credenciais" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Servidor onde está em execução o serviço de alteração de senha, se não " "coincide com o KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, O URI do servidor LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "A base DN por omissão" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "O tipo de Schema em utilização no servidor LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "O DN por omissão para a ligação" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "O tipo de token de autenticação do bind DN por omissão" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "O token de autenticação do bind DN por omissão" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Período de tempo para tentar ligação" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Tempo de espera para tentar operações LDAP síncronas" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Tempo de espera entre tentativas para re-conectar quando desligado" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Ficheiro que contêm os certificados CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Caminho para o directório do certificado CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Obriga a verificação de certificados TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Especificar mecanismo sasl a utilizar" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Especifique o id sasl para utilizar na autorização" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Separador chave do serviço Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Utilizar autenticação Kerberos para ligações LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Seguir os referrals LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Tempo de espera por um pedido de pesquisa" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Período de tempo entre enumeração de actualizações" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Requer TLS para consultas de ID" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "DN base para pesquisa de utilizadores" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Âmbito das pesquisas do utilizador" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filtro para as pesquisas do utilizador" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass para utilizadores" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Atributo do nome do utilizador" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Atributo UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Atributo GID primário" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Atributo GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Atributo da pasta pessoal" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Atributo da Shell" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Atributo principal do utilizador (para Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Nome Completo" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Atributo memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Atributo da alteração da data" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Politica para avaliar a expiração da senha" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Lista de utilizadores autorizados separados por vírgulas" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Lista de utilizadores não autorizados separados por vírgulas" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Shell pré-definida, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Directório base para as pastas pessoais" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "O nome da biblioteca NSS a utilizar" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Stack PAM a utilizar" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Tornar-se num serviço (omissão)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Executar interactivamente (não como serviço)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Especificar um ficheiro de configuração não standard" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Nível de depuração" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Adicionar tempos na depuração" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Um descritor de ficheiro aberto para os registos de depuração" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1588,146 +1602,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Domínio do fornecedor de informação (obrigatório)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Mensagem do Servidor: " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Senhas não coincidem" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", a sua senha guardada em cache irá expirar em: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "O sistema está offline, a mudança de senha não é possível" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Alteração da senha falhou." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nova Senha: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Digite a senha novamente: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Senha: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Senha actual: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "A senha expirou. Altere a sua senha agora." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "O nível de depuração a utilizar durante a execução" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Erro ao definir a configuração regional\n" @@ -1743,27 +1757,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1815,21 +1829,21 @@ msgstr "Indique utilizador a adicionar\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Erro ao inicializar as ferramentas - não existe domínio local\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Erro ao inicializar as ferramentas\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Domínio inválido especificado no FQDN\n" @@ -1850,7 +1864,7 @@ msgstr "Os grupos têm de pertencer ao mesmo domínio que o utilizador\n" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Incapaz de definir valores por omissão\n" @@ -1928,7 +1942,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1997,15 +2011,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Erro de transacção. Não foi possível modificar o grupo.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "\"Magic\" Privada" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "\"Magic\" Privada" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2050,72 +2064,72 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Erro interno. Incapaz de imprimir grupo.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Remover pasta pessoal e spool de correio" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Não remover pasta pessoal e spool de correio" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Forçar a remoção de ficheiros não pertencentes ao utilizador" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Mate os processos do utilizador antes de o remover" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Especificar o utilizador a remover\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "Não foi possível redefinir o contexto SELinux para a sessão\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" "Não foi possível determinar se o utilizador estava autenticado nesta " "plataforma" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Erro ao verificar se o utilizador estava autenticado\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "Pasta pessoal não removida - não pertence ao utilizador\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Utilizador não existe no domínio local. Apenas é permitido remover " "utilizadores no domínio local.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Erro interno. Incapaz de remover utilizador.\n" @@ -2198,88 +2212,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2314,7 +2328,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2324,7 +2337,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2400,32 +2412,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2438,12 +2471,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2452,17 +2483,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2483,27 +2512,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2511,17 +2535,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2530,52 +2548,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2588,27 +2615,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2618,7 +2640,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2627,7 +2648,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2642,7 +2662,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2652,7 +2671,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2709,122 +2727,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/pt_BR.po b/po/pt_BR.po index 2648ca3948c..dc03ba65881 100644 --- a/po/pt_BR.po +++ b/po/pt_BR.po @@ -3,7 +3,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2015-10-27 08:15+0000\n" "Last-Translator: Marco Aurélio Krause \n" "Language-Team: Portuguese (Brazil)\n" @@ -72,12 +72,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -291,1280 +291,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1572,146 +1586,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1727,27 +1741,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1799,21 +1813,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1834,7 +1848,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "" @@ -1911,7 +1925,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1973,15 +1987,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2024,68 +2038,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2164,88 +2178,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2280,7 +2294,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2290,7 +2303,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2366,32 +2378,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2404,12 +2437,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2418,17 +2449,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2449,27 +2478,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2477,17 +2501,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2496,52 +2514,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2554,27 +2581,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2584,7 +2606,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2593,7 +2614,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2608,7 +2628,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2618,7 +2637,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2675,122 +2693,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/ru.po b/po/ru.po index bd66d7a11c7..d8e586b207e 100644 --- a/po/ru.po +++ b/po/ru.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2016-02-23 10:04+0000\n" "Last-Translator: Oleksii Levan \n" "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/" @@ -80,12 +80,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Тайм-аут для сообщений, отправленных через SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Регулярное выражение для разбора имени пользователя и домена" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Printf-совместимый формат для отображения полностью определённых имён" @@ -318,1287 +318,1301 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Поставщик данных для идентификации" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Поставщик данных для проверки подлинности" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Поставщик данных для контроля доступа" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Поставщик операции смены пароля" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Минимальный ID пользователя" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Максимальный ID пользователя" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Включить перечисление всех пользователей/групп" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Кэшировать учётные данные для неинтерактивного входа" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Отображать пользователей/группы в полной форме" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Тайм-аут элемента списка кэша (в секундах)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Ограничивать или предпочитать определённое семейство адресов при выполнении " "запросов DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Как долго хранить кэшированные элементы списка после последнего успешного " "входа (в днях)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "Время ожидания ответа DNS при преобразовании имён серверов (секунд)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Доменная часть DNS-запроса поиска служб" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "Интерфейс, адрес которого будет использован для обновления DNS" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA-домен" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "адрес сервера IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "имя узла клиента IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "Если требуется автоматическое обновление записи в" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Фильтр LDAP для определения прав доступа" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Имя сервера Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Область действия Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Тайм-аут проверки подлинности" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Каталог для хранения кэшей учётных данных" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Расположения кэша учётных данных пользователей" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Расположение keytab-файла для проверки учётных данных" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Включить проверку учётных данных" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" "При отсутствии соединения сохранить пароль и пройти аутентификацию позже" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "Сервер, на котором запущена служба смены пароля (если не на KDC)" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, URI сервера LDAP " -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Base DN по умолчанию" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Тип схемы, используемой на LDAP-сервере, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Bind DN по умолчанию" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Тип маркера проверки подлинности для bind DN по умолчанию" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Маркер проверки подлинности для bind DN по умолчанию" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Временной интервал для попытки соединения" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Временной интервал для попытки синхронизации операций LDAP" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" "Временной интервал между попытками возобновления соединения в автономного " "режиме" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Файл содержащий сертификаты CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Путь к каталогу с сертификатами CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Требуется проверка сертификата TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Укажите механизм sasl" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Укажите идентификатор авторизации sasl" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Keytab-файл службы Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Использовать проверку подлинности Kerberos для LDAP-соединения" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Следовать ссылкам LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Время жизни TGT для LDAP-соединений" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Временной интервал, в течение которого ожидать поискового запроса" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Временной интервал между обновлениями перечисления" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Требовать TLS для запросов ID" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Base DN для поиска" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Глубина поиска" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Фильтр поиска" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objectclass для пользователей" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Атрибут «username»" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Атрибут «UID»" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Атрибут «primary GID»" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Атрибут «GECOS»" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Атрибут домашнего каталога" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Атрибут оболочки" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Атрибут участника-пользователя (для Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Полное имя" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Атрибут memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Атрибут времени изменения" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Политика вычисления окончания срока действия пароля" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Разделённый запятыми список разрешённых пользователей" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Разделённый запятыми список запрещённых пользователей" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Оболочка по умолчанию, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Место для домашних каталогов" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Имя используемой библиотеки NSS" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Используемый стек PAM" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Запускаться в качестве службы (по умолчанию)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Запускаться интерактивно (не службой)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Указать файл конфигурации" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Уровень отладки" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Добавить отладочные отметки времени" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Открытый дескриптор файла для журналов отладки" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1606,148 +1620,148 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "Домен поставщика информации (обязательный)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" "Для привилегированного сокета установлен неверный владелец или права доступа." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" "Для общедоступного сокета установлен неверный владелец или права доступа." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Сообщение сервера:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Пароли не совпадают" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", срок действия вашего кэшированного пароль истечёт:" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Система находится в автономном режиме, невозможно сменить пароль" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Не удалось сменить пароль." -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Новый пароль:" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Введите новый пароль ещё раз:" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Пароль:" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Текущий пароль:" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Срок действия пароля истёк. Необходимо сейчас изменить ваш пароль." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Уровень отладки для запуска" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1763,27 +1777,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1835,21 +1849,21 @@ msgstr "Укажите добавляемого пользователя\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Ошибка инициализации инструментов - не найден локальный домен\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Ошибка инициализации инструментов\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "В FQDN указан неверный домен\n" @@ -1870,7 +1884,7 @@ msgstr "Группы должны быть в том же домене, что msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Не удалось установить значения по умолчанию\n" @@ -1949,7 +1963,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2017,15 +2031,15 @@ msgstr "Не удалось изменить группу — проверьте msgid "Transaction error. Could not modify group.\n" msgstr "Ошибка в транзакции. Не удалось изменить группу.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magic Private" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2070,71 +2084,71 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Внутренняя ошибка. Невозможно напечатать группу.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Удалить домашний каталог и почтовую очередь" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Не удалять домашний каталог и почтовую очередь" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Принудительно удалять файлы, не принадлежащие пользователю" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Укажите пользователя для удаления\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" "Домашняя директория не удалена — пользователь не является её владельцем\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "В локальном домене нет такого пользователя. Удаление пользователей разрешено " "только для локального домена.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Внутренняя ошибка. Не удалось удалить пользователя.\n" @@ -2215,88 +2229,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2331,7 +2345,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2341,7 +2354,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2417,32 +2429,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2455,12 +2488,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2469,17 +2500,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2500,27 +2529,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2528,17 +2552,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2547,52 +2565,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2605,27 +2632,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2635,7 +2657,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2644,7 +2665,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2659,7 +2679,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2669,7 +2688,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2726,122 +2744,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/sssd.pot b/po/sssd.pot index 2189590aa2e..8c009188216 100644 --- a/po/sssd.pot +++ b/po/sssd.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -75,12 +75,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -294,1280 +294,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1575,146 +1589,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1730,27 +1744,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1802,21 +1816,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1837,7 +1851,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "" @@ -1914,7 +1928,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1976,15 +1990,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2027,68 +2041,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2167,88 +2181,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2283,7 +2297,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2293,7 +2306,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2369,32 +2381,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2407,12 +2440,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2421,17 +2452,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2452,27 +2481,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2480,17 +2504,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2499,52 +2517,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2557,27 +2584,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2587,7 +2609,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2596,7 +2617,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2611,7 +2631,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2621,7 +2640,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2678,122 +2696,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/sv.po b/po/sv.po index d19f56f8e79..646f33eee66 100644 --- a/po/sv.po +++ b/po/sv.po @@ -11,8 +11,8 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" -"PO-Revision-Date: 2019-08-03 08:43+0000\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" +"PO-Revision-Date: 2019-09-29 04:12+0000\n" "Last-Translator: Göran Uddeborg \n" "Language-Team: Swedish (http://www.transifex.com/projects/p/sssd/language/" "sv/)\n" @@ -81,12 +81,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Tidsgräns för meddelanden skickade via SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Reguljäruttryck för att tolka användarnamn och domän" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Printf-kompatibla format för att visa fullständigt kvalificerade namn" @@ -318,52 +318,62 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "Sökväg till lagring av betrodda CA-certifikat" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "Lista över UID:er eller användarnamn som tillåts komma åt PAC-svararen" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "Hur länge PAC-data betraktas som giltiga" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "Lista över UID:er eller användarnamn som tillåts komma åt InfoPipe-svararen" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "Lista över användarattribut InfoPipe får publicera" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "Leverantören där hemligheter kommer lagras i" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "Det maximala antalet tillåtna nästlade behållare" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "Det maximala antalet hemligheter som kan lagras" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "Det maximala antalet hemligheter som kan lagras per UID" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "Den maximala laststorleken av hemligheter i kilobyte" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "URL:en Custodia-servern lyssnar på" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "Metoden att använda vid autentisering mot en Custodia-server" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" @@ -371,11 +381,11 @@ msgstr "" "Namnet på huvudena som kommer läggas till i en HTTP-begäran med värdet " "definierat i auth_header_value" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "Värdet sssd-hemligheter skulle använda till auth_header_name" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" @@ -383,27 +393,27 @@ msgstr "" "Listan över huvuden att vidarebefordra till Custodia-servern tillsammans med " "begäran" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" "Användarnamnet att använda vid autentisering mot en Custodia-server med " "basic_auth" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" "Lösenordet att använda vid autentisering mot en Custodia-server med " "basic_auth" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" "Om sant verifieras motpartens certifikat om proxy_url använder protokollet " "https" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" @@ -411,287 +421,291 @@ msgstr "" "Om falskt får motpartens certifikat innehålla ett annat värdnamn än " "proxy_url när protokollet https används" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "Sökväg till katalogen där certifikatutfärdares certifikat lagras" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "Sökväg till filen som innehåller serverns CA-certifikat" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "Sökväg till filen som innehåller klientens certifikat" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "Sökväg till filen som innehåller klientens privata nyckel" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Identitetsleverantör" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Autentiseringsleverantör" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Leverantör av åtkomstkontroll" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Leverantör av lösenordsändringar" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "SUDO-leverantör" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Autofs-leverantör" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Värdidentitetsleverantör" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "SELinux-leverantör" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "Sessionshanteringsleverantör" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "Huruvida domänen är användbar av OS:et eller av program" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Minsta användar-ID" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Största användar-ID" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Aktivera uppräkning av alla användare/grupper" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Cache-kreditiv för frånkopplad inloggning" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Visa användare/grupper i fullständigt kvalificerat format" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "Inkludera inte gruppmedlemmar i gruppuppslagningar" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Tidsgränslängd för postcache (sekunder)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "Begränsa eller föredra en specifik adressfamilj vid DNS-uppslagningar" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Hur länge cachade poster skall behållas efter senaste lyckade inloggning " "(dagar)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" +"Hur länge SSSD skall prata med en enskild DNS-server försöker med nästa " +"server (millisekunder)." -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" +"Hur länge SSSD skall fortsätta försöka slå upp en enskild DNS-fråga " +"(sekunder)." -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "Hur länge man väntar på svar från DNS när servrar slås upp (sekunder)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Domändelen av DNS-frågan för tjänstedetektering" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "Åsidosätt GID-värdet från identitetsleverantören med detta värde" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Behandla användarnamn som skiftlägeskänsliga" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Hur ofta utgångna poster skall förnyas i bakgrunden" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Huruvida klienternas DNS-poster uppdateras automatiskt" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "TTL:en att använda för klientens DNS-post efter att ha uppdaterat den" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "Gränssnittet vars IP skall användas för dynamiska DNS-uppdateringar" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Hur ofta klienternas DNS-poster periodiskt skall uppdateras" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "Huruvida leverantören explicit skall uppdatera PTR-posten också" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Huruvida verktyget nsupdate skall använda TCP som standard" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Vilken sorts autentisering som skall användas för att utföra DNS-" "uppdateringen" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "Åsidosätt DNS-servern som används för att utföra DNS-uppdateringen" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Styr uppräkning av betrodda domäner" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Hur ofta skall listan över underdomäner uppdateras" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "Lista över flaggor som skall ärvas in i en underdomän" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "Standard hemkatalogvärde för underdomäner" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "Hur länge cachade kreditiv får användas för cachad autentisering" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "Huruvida privata grupper för användare skall skapas automatiskt" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA-domän" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA-serveradress" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Adress till reserv-IPA-server" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "IPA-klientvärdnamn" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "Om klientens DNS-post i FreeIPA automatiskt skall uppdateras" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Sökbas för HBAC-relaterade objekt" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "Tidsåtgången mellan uppslagningar av HBAC-reglerna mot IPA-servern" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" "Tiden i sekunder mellan uppslagningar av SELinux-mappningar mot IPA-servern" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "Om satt till falskt kommer värdargument givna av PAM ignoreras" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "Platsen för automatmonteraren denna IPA-klient använder" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "Sökbas för objekt som innehåller information om IPA-domänen" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "Sökbas för objekt som innehåller information om ID-intervall" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "Aktivera DNS-sajter - platsbaserad detektering av tjänster" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "Sökbas för vybehållare" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "Objektklass för vybehållare" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "Attribut med namnet på vyn" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "Objektklass för åsidosättande objekt" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "Attribut med referensen till originalobjektet" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "Objektklass för användaråsidosättande objekt" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "Objektklass för gruppåsidosättande objekt" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "Sökväg för objekt relaterade till skrivbordsprofiler" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" @@ -699,7 +713,7 @@ msgstr "" "Tiden i sekunder mellan uppslagningar av skrivbordsprofilsregler mot IPA-" "servern" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" @@ -707,46 +721,46 @@ msgstr "" "Tiden i minuter mellan uppslagningar av skrivbordsprofilsregler mot IPA-" "servern när den senaste förfrågan inte hittade någon regel" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Active Directory-domän" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "Aktivera Active Directory-domäner" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Adress till Active Directory-server" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Adress till Active Directory-reservserver" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Active Directory-klientvärdnamn" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "LDAP-filter för att bestämma åtkomstprivilegier" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Huruvida den globala katalogen skall användas för uppslagningar" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Arbetsläge för GPO-baserad åtkomstkontroll" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "Tidsåtgången mellan uppslagningar av GPO-policyfiler mot AD-servern" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" @@ -754,7 +768,7 @@ msgstr "" "PAM-tjänstenamn som översätts till GPO-policyinställningen " "(Deny)InteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" @@ -762,259 +776,259 @@ msgstr "" "PAM-tjänstenamn som översätts till GPO-policyinställningen " "(Deny)RemoteInteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" "PAM-tjänstenamn som översätts till GPO-policyinställningen " "(Deny)NetworkLogonRight" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" "PAM-tjänstenamn som översätts till GPO-policyinställningen " "(Deny)BatchLogonRight" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" "PAM-tjänstenamn som översätts till GPO-policyinställningen " "(Deny)ServiceLogonRight" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "PAM-tjänstenamn för vilka GPO-baserad åtkomst alltid tillåts" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "PAM-tjänstenamn för vilka GPO-baserad åtkomst alltid nekas" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" "Standardinloggningsrättigheter (eller permit/deny) att använda för omappade " "PAM-tjänstenamn" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "en viss sajt att användas av klienten" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "Maximal ålder i dagar innan maskinkontots lösenord skall förnyas" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "Flagga för att trimma maskinkontots förnyelseuppgift" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Adress till Kerberosserver" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Adress till reservserver för Kerberos" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Kerberosrike" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Autentiseringstidsgräns" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Huruvida kdcinfo-filer skall skapas" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "Var konfigurationssnuttar för krb5 skall läggas" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Katalog att lagra kreditiv-cachar i" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Plats för användarens kreditiv-cache" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Plats för nyckeltabellen för att validera kreditiv" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Aktivera validering av kreditiv" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "Lagra lösenord när ej ansluten för ansluten autentisering senare" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Förnybar livstid för TGT:n" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Livstid för TGT:n" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Tid mellan två kontroller av förnyelse" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Aktiverar FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Väljer huvudman att använda för FAST" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Aktivera kanonisk form av huvudman" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Aktiverar företagshuvudmän" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "En översättning från användarnamn till Kerberos huvudmansnamn" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "Server där ändringstjänsten för lösenord kör om inte på KDC:n" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, URI:n för LDAP-servern" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, URI:n för LDAP-servern" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Standard bas-DN" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Schematypen som används i LDAP-servern, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "Läge som används för att ändra användares lösenord" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Standard bindnings-DN" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Typen på autentiserings-token för standard bindnings-DN" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Autentiserings-token för standard bindnings-DN" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Tidslängd att försöka ansluta" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Tidslängd att försöka synkrona LDAP-operationer" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "Tidslängd mellan försök att återansluta vid frånkoppling" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Använd endast versaler för namn på riken" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Fil som innehåller CA-certifikat" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Sökväg till katalogen med CA-certifikat" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Fil som innehåller klientcertifikatet" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Fil som innehåller klientnyckeln" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Lista över möjliga chiffersviter" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Kräv TLS-certifikatverifiering" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Ange sasl-mekanismen att använda" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Ange sasl-auktorisering-id att använda" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Ange sasl-auktoriseringsrike att använda" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "Ange minsta SSF för LDAP-sasl-auktorisering" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Kerberostjänstens nyckeltabell" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Använd Kerberosautentisering för LDAP-anslutningar" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Följer LDAP-hänvisningar" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Livslängd på TGT för LDAP-anslutning" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Hur alias skall derefereras" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Tjänstenamn för uppslagning av DNS-tjänster" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "Antalet poster som skall hämtas i en enda LDAP-fråga" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "Antalet medlemmar som måste saknas för att orsaka en fullständig dereferering" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1022,377 +1036,377 @@ msgstr "" "Huruvida LDAP-biblioteket skall utföra en omvänd uppslagning för att ta fram " "värdnamnets kanoniska form under en SASL-bindning" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "entryUSN-attribut" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "lastUSN-attribut" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" "Hur länge en anslutning till LDAP-servern skall behållas före den kopplas ner" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Avaktivera flödesstyrningen (paging) av LDAP" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Avaktivera Active Directorys intervallhämtande" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Tidslängd att vänta på en sökbegäran" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Tidslängd att vänta på en uppräkningsbegäran" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Tidslängd mellan uppräkningsuppdateringar" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Tidslängd mellan cache-tömningar" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Kräv TLS för ID-uppslagningar" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "Använd ID-översättning av objectSID istället för förhandssatta ID:n" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Bas-DN för användaruppslagningar" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Omfång av användaruppslagningar" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Filter för användaruppslagningar" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Objektklass för användare" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Användarnamnsattribut" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "UID-attribut" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Primärt GID-attribut" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "GECOS-attribut" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Hemkatalogattribut" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Skalattribut" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "UUID-attribut" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "objectSID-attribut" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "Primärt gruppattribut i Active Directory för ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Användarens huvudmansattribut (för Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Fullständigt namn" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "medlemAv-attribut" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Modifieringstidsattribut" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "attributet shadowLastChange" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "shadowMin-attribut" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "shadowMax-attribut" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "shadowWarning-attribut" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "shadowInactive-attribut" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "shadowExpire-attribut" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "shadowFlag-attribut" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "Attribut för listning av auktoriserade PAM-tjänster" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Attribut för listning av auktoriserade servervärdar" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "Attribut för listning av auktoriserade server-rhosts" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "attributet krbLastPwdChange" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "krbPasswordExpiration-attribut" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "Attribut som indikerar att serversidans lösenordspolicyer är aktiva" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "AD:s attribut accountExpires" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "AD:s attribut userAccountControl" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "attributet nsAccountLock" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "NDS attribut loginDisabled" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "NDS attribut loginExpirationTime" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "NDS attribut loginAllowedTimeMap" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "Attribut för publik SSH-nyckel" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "attribut för listning av tillåtna autentiseringstyper för en användare" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "attribut som innehåller användarens X509-certifikat" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "attribut som innehåller e-postadresser till användaren" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "En lista över extra attribut att hämta tillsammans med användarposten" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "Bas-DN för gruppuppslagningar" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "Objektklass för grupper" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Gruppnamn" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Grupplösenord" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "GID-attribut" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Gruppmedlemsattribut" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "Grupp-UUID-attribut" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Modifieringstidsattribut för grupper" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Typen av grupp och andra flaggor" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "LDAP-gruppens externa medlemsattribut" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "Maximal nästlingsnivå SSSD kommer följa" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "Bas-DN för nätgruppuppslagningar" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Objektklass för nätgrupper" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Nätgruppnamn" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Attribut på nätgruppmedlemmar" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Attribut på nätgruppstripplar" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Modifieringstidsattribut för nätgrupper" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Bas-DN för tjänsteuppslagningar" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Objektklass för tjänster" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Tjänstenamnsattribut" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Tjänsteportsattribut" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Tjänsteprotokollsattribut" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Undre gräns för ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Övre gräns för ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "Antal ID:n till varje skiva vid ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "Använd en autorid-kompatibel algoritm för ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Standarddomänens namn för ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "Standarddomänens SID för ID-mappning" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "Antal sekundära skivor" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Huruvida Token-Groups skall användas" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Sätt undre gräns för tillåtna ID:n från LDAP-servern" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "Sätt övre gräns för tillåtna ID:n från LDAP-servern" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "DN för ppolicy-frågor" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "Hur många poster att maximalt hämta i en joker-begäran" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Policy för att utvärdera utgång av lösenord" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "Vilka attribut skall användas för att avgöra om ett konto gått ut" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "Vilka regler skall användas för att avgöra åtkomstkontroll" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "URI till en LDAP-server där lösenordsändringar är tillåtna" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "URI till en reserv-LDAP-server där lösenordsändringar är tillåtna" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "DNS-tjänstenamn för LDAP-lösenordsändringsservern" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1400,24 +1414,24 @@ msgstr "" "Huruvida attributet ldap_user_shadow_last_change skall uppdateras efter en " "ändring av lösenord" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Bas-DN för regeluppslagningar" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Intervall mellan automatisk fullständig omläsning" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Intervall mellan automatisk smart omläsning" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" "Huruvida regler skall filtreras efter värdnamn, IP-adresser och nätverk" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1425,221 +1439,225 @@ msgstr "" "Värdnamn och/eller fullständigt kvalificerade domännamn på denna maskin för " "att filtrera sudo-regler" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "IPv4- eller IPv6-adresser eller -nätverk för denna maskin för att filtrera " "sudo-regler" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Huruvida regler som innehåller nätgrupper i värdattribut skall inkluderas" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Huruvida regler som innehåller reguljära uttryck i värdattribut skall " "inkluderas" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Objektklass för sudo-regler" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Sudo-regelnamn" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Attribut för sudo-regelkommandon" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Attribut för sudo-regelvärd" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Attribut för sudo-regelanvändare" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Attribut för sudo-regelflaggor" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "Sudo-regel-runas-attribut" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "Attribut för sudo-runasuser" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "Attribut på runasgroup i sudo-regel" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "Attribut för sudo-notbefore-regler" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "Attribut för sudo-notafter-regler" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Attribut för sudo-order-regler" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Objektklass för avbildningar för automatmonterare" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Attribut för namn i avbildningar för automatmonterare" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Objektklass för poster i avbildningar för automatmonterare" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Attribut för postnycklar i avbildningar för automatmonterare" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Attribut på postvärde i avbildning för automatmonteraren" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Bas-DN för uppslagningar i avbildningar för automatmonterare" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Kommaseparerad lista över tillåtna användare" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Kommaseparerad lista över förbjudna användare" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Standardskal, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Bas för hemkataloger" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "Antal ombudsbarn före grening" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Namnet på NSS-biblioteket att använda" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "Huruvida kanoniska gruppnamn skall slås upp från cachen om möjligt" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "PAM-stack att använda" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "Sökväg till lösenordsfilkällor." -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "Sökväg till gruppfilkällor." -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Bli en demon (standard)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Kör interaktivt (inte en demon)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "Avaktivera netlink-gränssnittet" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Ange en konfigurationsfil annan än standard" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "Uppdatera konfigurationsdatabasen, avsluta sedan" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "Liknande --genconf, men uppdaterar endast den angivna sektionen" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Skriv ut versionsnumret och avsluta" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "SSSD kör redan\n" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Felsökningsnivå" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Lägg till felsökningstidstämplar" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Visa tidsstämplar med mikrosekunder" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "En öppen fildeskriptor för felsökningsloggarna" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "Skicka felsökningsutdata direkt till standard fel." -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "Användaren att skapa en FAST-ccache som" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "Gruppen att skapa en FAST-ccache som" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "Kerberosrike att använda" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "Begärd livslängd på biljetten" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "Begärd förnybar livslängd på biljetten" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "FAST-flaggor (”never”, ”try”, ”demand”)" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "Anger serverhuvudmannen att använda för FAST" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "Begär kanonisering av huvudmannanamnet" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "Använd en anpassad version av krb5_get_init_creds_password" @@ -1647,82 +1665,82 @@ msgstr "Använd en anpassad version av krb5_get_init_creds_password" msgid "Domain of the information provider (mandatory)" msgstr "Domän för informationsleverantören (obligatoriskt)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "Privilegierat uttag (socket) har fel ägarskap eller rättigheter." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "Publikt uttag (socket) har fel ägarskap eller rättigheter." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Oväntat format på serverns kreditivmeddelande." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD körs inte av root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "SSSD-uttaget finns inte." -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "Kan inte ta status på SSSD-uttaget." -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Ett fel uppstod, men ingen beskrivning kan hittas." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Oväntat fel vid sökning efter ett felmeddelande" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "Åtkomst nekas. " -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Servermeddelande: " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Lösenorden stämmer inte överens" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "Återställning av lösenord av root stöds inte." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Autentiserad med cachade kreditiv" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", ditt cache-lösenord kommer gå ut: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "Ditt lösenord har gått ut. Du har en frist på %1$d inloggningar kvar." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Ditt lösenordet kommer gå ut om %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "Autentisering nekas till: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Systemet är frånkopplat, ändring av lösenord är inte möjligt" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1730,65 +1748,65 @@ msgstr "" "Efter att ha ändrat OTP-lösenordet behöver du logga ut och tillbaka in för " "att få en biljett" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Lösenordsändringen misslyckades. " -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Nytt lösenord: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Skriv det nya lösenordet igen: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "Första faktorn: " -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "Andra faktorn (frivillig): " -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "Andra faktorn: " -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Lösenord: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "Första faktorn (nuvarande lösenord): " -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Nuvarande lösenord: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Lösenordet har gått ut. Ändra ditt lösenord nu." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Felsökningsnivån att köra med" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "SSSD-domäner att använda" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Fel när lokalen sattes\n" @@ -1804,27 +1822,27 @@ msgstr "Ingen användare angiven\n" msgid "Error looking up public keys\n" msgstr "Fel vid uppslagning av publika nycklar\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "Porten att använda för att ansluta till värden" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "Skriv ut värdens publika ssh-nycklar" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Felaktig port\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Värden inte angiven\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "Sökvägen till proxy-kommandot måste vara absolut\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "sss_ssh_knownhostsproxy: Det gick inte att slå upp värdnamnet %s\n" @@ -1876,21 +1894,21 @@ msgstr "Ange en användare att lägga till\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Fel vid initiering av verktygen — ingen lokal domän\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Fel vid initiering av verktygen\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "Ogiltig domän angiven i FQDN\n" @@ -1911,7 +1929,7 @@ msgstr "Grupper måste finnas i samma domän som användaren\n" msgid "Cannot find group %1$s in local domain\n" msgstr "Hittar inte gruppen %1$s i den lokala domänen\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Kan inte sätta standardvärden\n" @@ -1990,7 +2008,7 @@ msgstr "Gruppen %1$s är utanför det definierade ID-intervallet för domänen\n #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2062,15 +2080,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Transaktionsfel. Det gick inte att ändra gruppen.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magiskt privat " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sGrupp: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Magiskt privat " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2119,72 +2137,72 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Internt fel. Det gick inte att skriva ut gruppen.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Ta bort hemkatalog och brevlåda" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Ta inte bort hemkatalog och brevlåda" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Framtvinga borttagning av filer som inte ägs av användaren" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Döda användares processer före de tas bort" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Ange användare att ta bort\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" "Användaren %1$s är utanför det definierade ID-intervallet för domänen\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "Kan inte återställa SELinux-inloggningskontext\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "VARNING: Användaren (uid %1$lu) var fortfarande inloggad när han togs bort.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "Det går inte att avgöra om användaren var inloggad på denna plattform" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Fel vid kontroll om användaren var inloggad\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "Kommandot efter borttagandet misslyckades: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "Tar inte bort hemkatalogen - ägs inte av användaren\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "Kan inte ta bort hemkatalogen: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "Ingen sådan användare i den lokala domänen. Det går endast att ta bort " "användare i den lokala domänen.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Internt fel. Det gick inte att ta bort användaren.\n" @@ -2269,71 +2287,71 @@ msgstr "Kunde inte invalidera %1$s\n" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "Kunde inte invalidera %1$s %2$s\n" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "Invalidera alla cachade poster" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Invalidera en viss användare" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Invalidera alla användare" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Invalidera en viss grupp" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Invalidera alla grupper" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Invalidera en viss nätgrupp" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Invalidera alla nätgrupper" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Invalidera en viss tjänst" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Invalidera alla tjänster" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Invalidera en viss autofs-mapp" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Invalidera alla autofs-mappar" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "Invalidera en viss SSH-värd" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "Invalidera alla SSH-värdar" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "Invalidera en viss sudo-regel" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "Invalidera alla cachade sudo-regler" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Invalidera endast poster från en viss domän" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" @@ -2341,11 +2359,11 @@ msgstr "" "Oväntat argument angivet, flaggor som invaliderar ett ensamt objekt tar bara " "ett ensamt angivet argument.\n" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "Välj åtminstone ett objekt att invalidera\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2354,7 +2372,7 @@ msgstr "" "Kunde inte öppna domänen %1$s. Om domänen är en underdomän (betrodd domän), " "använd fullt kvalificerat namn istället för parametrarna --domain/-d.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "Kunde inte öppna tillgängliga domäner\n" @@ -2391,7 +2409,6 @@ msgid "Invalid result." msgstr "Felaktigt resultat." #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "Kan inte läsa användarens indata\n" @@ -2401,7 +2418,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "Felaktig indata, ange antingen ”%s” eller ”%s”.\n" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "Fel när externt kommando kördes\n" @@ -2477,36 +2493,58 @@ msgstr "Init-gruppers utgångstid" msgid "Search by group ID" msgstr "Sök via grupp-ID" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 +#, fuzzy, c-format +msgid "Failed to open %s\n" +msgstr "Kan inte tolka namnet %s.\n" + +#: src/tools/sssctl/sssctl_config.c:75 +#, fuzzy, c-format +msgid "File %1$s does not exist.\n" +msgstr "SSSD-uttaget finns inte." + +#: src/tools/sssctl/sssctl_config.c:79 +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Kontrollen av filens ägarskap och rättigheter misslyckades. root:root och " +"0600 förväntades.\n" + +#: src/tools/sssctl/sssctl_config.c:85 #, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +#, fuzzy msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " +"There is no configuration. SSSD will use default configuration with files " "provider.\n" msgstr "" "Filen %1$s finns inte. SSSD kommer använda standardkonfigurationen med " "filleverantörer.\n" -#: src/tools/sssctl/sssctl_config.c:81 -#, c-format -msgid "" -"File ownership and permissions check failed. Expected root:root and 0600.\n" +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" msgstr "" -"Kontrollen av filens ägarskap och rättigheter misslyckades. root:root och " -"0600 förväntades.\n" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "Problem identifierade av validerare: %zu\n" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "Meddelanden genererade under sammanslagning av konfigurationen: %zu\n" -#: src/tools/sssctl/sssctl_config.c:127 -#, c-format -msgid "Used configuration snippet files: %u\n" +#: src/tools/sssctl/sssctl_config.c:137 +#, fuzzy, c-format +msgid "Used configuration snippet files: %zu\n" msgstr "Använda konfigurationssnuttfiler: %u\n" #: src/tools/sssctl/sssctl_data.c:89 @@ -2519,12 +2557,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "En SSSD-säkerhetskopia av lokala data finns redan, åsidosätt?" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "Kan inte exportera användaråsidosättanden\n" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "Kan inte exportera gruppåsidosättanden\n" @@ -2533,17 +2569,15 @@ msgid "Override existing backup" msgstr "Åsidosätt befintlig säkerhetskopia" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "Kan inte importera användaråsidosättanden\n" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "Kan inte importera gruppåsidosättanden\n" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "Starta SSSD om den inte kör" @@ -2564,28 +2598,23 @@ msgid "Start SSSD when the cache is removed" msgstr "Starta SSSD när cachen är borttagen" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "Skapa säkerhetskopia av lokala data …\n" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" "Kan inte skapa säkerhetskopia av lokala data, kan inte ta bort cachen.\n" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "Tar bort cache-filer …\n" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "Kan inte ta bort cache-filer\n" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "Återställer lokala data …\n" @@ -2593,17 +2622,11 @@ msgstr "Återställer lokala data …\n" msgid "Show domain list including primary or trusted domain type" msgstr "Visa domänlistan inklusive primär eller betrodd domäntyp" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "Det går inte att ansluta till systembussen!\n" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "Uppkopplingsstatus: %s\n" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "Uppkopplad" @@ -2612,52 +2635,62 @@ msgstr "Uppkopplad" msgid "Offline" msgstr "Frånkopplad" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "Uppkopplingsstatus: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:213 +#, fuzzy +msgid "This domain has no active servers.\n" +msgstr "Visa information om aktiv server" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "Aktiva servrar:\n" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "inte ansluten" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "Upptäckte %s servrar:\n" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "Ingen än så länge.\n" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "Visa uppkopplingsstatus" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "Visa information om aktiv server" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "Visa lista över upptäckta servrar" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "Ange domännamn." -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "Slut på minne!\n" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "Kan inte ta reda på uppkopplingsstatus\n" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "Kan inte ta reda på serverlistan\n" @@ -2670,27 +2703,22 @@ msgid "Delete log files instead of truncating" msgstr "Radera loggfiler istället för att hugga av" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "Raderar loggfiler …\n" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "Kan inte ta bort loggfiler\n" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "Hugger av loggfiler …\n" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "Kan inte hugga av loggfiler\n" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "Slut på minne!" @@ -2700,7 +2728,6 @@ msgid "Archiving log files into %s...\n" msgstr "Arkiverar loggfiler in i %s …\n" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "Kan inte arkivera loggfiler\n" @@ -2709,7 +2736,6 @@ msgid "Specify debug level you want to set" msgstr "Ange felsökningsnivå du vill sätta" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "Resultat av SSSD InfoPipe-användaruppslagning:\n" @@ -2724,7 +2750,6 @@ msgid "dlsym failed with [%s].\n" msgstr "dlsym misslyckades med [%s].\n" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "malloc misslyckades.\n" @@ -2734,7 +2759,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "sss_getpwnam_r misslyckades med [%d].\n" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "Resultat av SSSD nss-användaruppslagning:\n" @@ -2797,23 +2821,22 @@ msgstr "" "tjänst: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "Användarnamnsuppslagning med [%s] misslyckades.\n" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "InfoPipe-användaruppslagning med [%s] misslyckades.\n" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "pam_start misslyckades: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" @@ -2821,12 +2844,12 @@ msgstr "" "testar pam_authenticate\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "pam_get_item misslyckades: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" @@ -2835,8 +2858,7 @@ msgstr "" "pam_authenticate för användaren [%s]: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" @@ -2844,7 +2866,7 @@ msgstr "" "testar pam_chauthtok\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" @@ -2853,8 +2875,7 @@ msgstr "" "pam_chauthtok: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" @@ -2862,7 +2883,7 @@ msgstr "" "testar pam_acct_mgmt\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" @@ -2871,8 +2892,7 @@ msgstr "" "pam_acct_mgmt: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" @@ -2880,7 +2900,7 @@ msgstr "" "testar pam_setcred\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" @@ -2889,8 +2909,7 @@ msgstr "" "pam_setcred: [%s]\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" @@ -2898,7 +2917,7 @@ msgstr "" "testar pam_open_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" @@ -2907,8 +2926,7 @@ msgstr "" "pam_open_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" @@ -2916,7 +2934,7 @@ msgstr "" "testar pam_close_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" @@ -2925,18 +2943,15 @@ msgstr "" "pam_close_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "okänd åtgärd\n" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "PAM-miljö:\n" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr " - ingen miljö -\n" diff --git a/po/tg.po b/po/tg.po index e3e6d5b440e..5009cf304f7 100644 --- a/po/tg.po +++ b/po/tg.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:48+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/" @@ -77,12 +77,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -296,1280 +296,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Номи гурӯҳ" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Пароли гурӯҳ" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "Аттрибути GID" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1577,146 +1591,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Паролҳо номувофиқанд" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Пароли нав:" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Парол:" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1732,27 +1746,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1804,21 +1818,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1839,7 +1853,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "" @@ -1916,7 +1930,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1978,15 +1992,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2029,68 +2043,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2169,88 +2183,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2285,7 +2299,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2295,7 +2308,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2371,32 +2383,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2409,12 +2442,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2423,17 +2454,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2454,27 +2483,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2482,17 +2506,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2501,52 +2519,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2559,27 +2586,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2589,7 +2611,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2598,7 +2619,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2613,7 +2633,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2623,7 +2642,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2680,122 +2698,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/tr.po b/po/tr.po index a66b7303f4b..f05e7dca86a 100644 --- a/po/tr.po +++ b/po/tr.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:49+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Turkish (http://www.transifex.com/projects/p/sssd/language/" @@ -78,12 +78,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -297,1280 +297,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "En az kullanıcı ID'si" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "En fazla kullanıcı ID'si" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA alanı" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Kerberos sunucu adresi" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1578,146 +1592,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1733,27 +1747,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1805,21 +1819,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1840,7 +1854,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "" @@ -1917,7 +1931,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1979,15 +1993,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2030,68 +2044,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2170,88 +2184,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2286,7 +2300,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2296,7 +2309,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2372,32 +2384,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2410,12 +2443,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2424,17 +2455,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2455,27 +2484,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2483,17 +2507,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2502,52 +2520,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2560,27 +2587,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2590,7 +2612,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2599,7 +2620,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2614,7 +2634,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2624,7 +2643,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2681,122 +2699,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/uk.po b/po/uk.po index ed24d154b30..098e0d472dc 100644 --- a/po/uk.po +++ b/po/uk.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2019-08-16 05:48+0000\n" "Last-Translator: Yuri Chornoivan \n" "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/" @@ -87,12 +87,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "Час очікування для повідомлень, надісланих за допомогою SBUS" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "Формальний вираз для обробки імені користувача і домену" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "Сумісний з printf формат показу повних назв" @@ -343,56 +343,66 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "Шлях до сховища надійних сертифікатів служб сертифікації (CA)" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" "Список унікальних ідентифікаторів (UID) або імен користувачів, яким надано " "доступ до відповідача PAC" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "Час, протягом якого дані PAC вважатимуться чинними" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" "Список унікальних ідентифікаторів (UID) або імен користувачів, яким надано " "доступ до відповідача InfoPipe" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "Список атрибутів запису користувача, які може оприлюднювати InfoPipe" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "Модуль надання даних, у якому будуть зберігатися реєстраційні дані" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "Максимальна дозволена кількість вкладених контейнерів" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "Максимальна кількість записів реєстраційних даних, які можна зберігати" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" "Максимальна кількість записів реєстраційних даних, які можна зберігати за UID" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "Максимальний обсяг запису реєстраційних даних у кілобайтах" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "Адреса, на якій очікує дані сервер Custodia" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "Спосіб розпізнавання сервером Custodia" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" @@ -400,11 +410,11 @@ msgstr "" "Назва заголовків, які буде додано до запиту HTTP зі значенням, яке визначено " "в auth_header_value" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "Значення, яке sssd-secrets має використовувати для auth_header_name" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" @@ -412,27 +422,27 @@ msgstr "" "Список заголовків, які слід переспрямувати до сервера Custodia разом із " "запитом" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" "Ім'я користувача, яким слід скористатися для розпізнавання на сервері " "Custodia з використанням basic_auth" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" "Пароль, яким слід скористатися для розпізнавання на сервері Custodia з " "використанням basic_auth" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" "Якщо має значення true, сертифікат вузла перевірятиметься, якщо proxy_url " "використовує протокол https" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" @@ -440,113 +450,113 @@ msgstr "" "Якщо має значення false, сертифікат вузла може містити іншу назву вузла ніж " "proxy_url, якщо використано протокол https" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "Шлях до каталогу, у якому зберігаються сертифікати служби сертифікації" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" "Шлях до файла, у якому міститься сертифікат служби сертифікації (CA) сервера" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "Шлях до файла, у якому міститься сертифікат клієнта" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "Шлях до файла, у якому міститься закритий ключ клієнта" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "Служба профілів" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "Служба розпізнавання" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "Служба керування доступом" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "Служба зміни паролів" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "Служба SUDO" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "Служба автоматизації файлових систем" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "Служба профілів вузлів" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "Надавач даних SELinux" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "Засіб керування сеансами" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" "Визначає, чи можна використовувати домен у операційній системі або у " "програмах" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "Мін. ідентифікатор користувача" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "Макс. ідентифікатор користувача" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "Увімкнути нумерацію всіх користувачів/груп" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "Кешувати реєстраційні дані для автономного входу" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "Показувати записи користувачів/груп повністю" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "Не включати учасників групи у пошуки групи" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "Тривалість кешування записів (у секундах)" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" "Обмежити або надавати перевагу певному сімейству адрес під час виконання " "пошуків DNS" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" "Тривалість зберігання кешованих записів після останнього успішного входу (у " "днях)" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" @@ -554,202 +564,202 @@ msgstr "" "Гранична тривалість спроби обмінятися даними SSSD з окремим сервером DNS, " "перш ніж програма спробує наступний сервер (у мілісекундах)" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "Гранична тривалість спроби обробки окремого запиту DNS (у секундах)" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" "Тривалість очікування на відповідь від DNS під час визначення адрес серверів " "(у секундах)" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "Частина запиту щодо виявлення служби DNS, пов’язана з доменом" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" "Замінити значення ідентифікатора групи від надавача профілю цим значенням" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "Враховувати регістр у іменах користувачів" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "Наскільки часто має виконувати оновлення у тлі застарілих записів" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "Визначає, чи слід автоматично оновлювати запис DNS клієнта" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" "TTL, який слід застосовувати до запису DNS клієнта після його оновлення" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" "Інтерфейс, чию адресу IP має бути використано для динамічних оновлень DNS" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "Визначає, наскільки часто слід періодично оновлювати запис DNS клієнта" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" "Визначає, чи слід надавачу даних також явним чином оновлювати запис PTR" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "Визначає, чи слід програмі nsupdate типово використовувати TCP" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" "Визначає тип розпізнавання, який слід використовувати для виконання " "оновлення DNS" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" "Перевизначити сервер DNS, який використовуватиметься для виконання оновлення " "DNS" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "Керувати нумерацією надійних доменів" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "Частота оновлення списку піддоменів" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "Список параметрів, які має бути успадковано у піддомені" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "Типове значення домашнього каталогу для піддоменів" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" "Строк, протягом якого кешовані реєстраційні дані може бути використано для " "розпізнавання за кешем" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" "Визначає, чи слід автоматично створювати приватні групи для користувачів" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "Домен IPA" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "Адреса сервера IPA" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "Адреса резервного сервера IPA" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "Назва вузла клієнта IPA" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" "Визначає, чи слід автоматично оновлювати запис DNS клієнтського вузла у " "FreeIPA" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "Шукати у базі об’єкти, пов’язані з HBAC" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" "Інтервал часу між послідовними сеансами пошуку правил HBAC на сервері IPA" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "Час, у секундах, між пошуками у картах SELinux на сервері IPA" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" "Якщо встановлено значення «false», аргумент вузла, наданий PAM, буде " "проігноровано" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "Адреса автоматичного монтування, яку використовує цей клієнт IPA" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "Шукати у базі об’єкт, що містить дані щодо домену IPA" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "Шукати у базі об’єкти, що містять дані щодо діапазонів ідентифікаторів" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "Увімкнути сайти DNS — визначення служб на основі адрес" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "Шукати у базі контейнери перегляду" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "Клас об’єктів для контейнерів перегляду" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "Атрибут із назвою перегляду" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "Клас об’єктів для об’єктів перевизначення" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "Атрибут із посиланням на початковий об’єкт" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "Клас об’єктів для об’єктів перевизначення користувачів" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "Клас об’єктів для об’єктів перевизначення груп" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "Шукати у базі пов'язані і профілями станцій об'єкти" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" "Час, у секундах, між пошуками у правилах профілів станцій на сервері IPA" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" @@ -757,47 +767,47 @@ msgstr "" "Час, у хвилинах, між пошуками у правилах профілів станцій на сервері IPA, " "якщо під час останнього запиту не було знайдено жодного правила" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "Домен Active Directory" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "Увімкнені домени Active Directory" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "Адреса сервера Active Directory" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "Адреса резервного сервера Active Directory" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "Назва клієнтського вузла Active Directory" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "Фільтр LDAP для визначення прав доступу" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "Чи слід використовувати загальний каталог для пошуку" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "Режим роботи для керування доступом на основі GPO" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" "Інтервал часу між послідовними сеансами пошуку правил GPO на сервері AD" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" @@ -805,7 +815,7 @@ msgstr "" "Назви служб PAM, які виконують прив’язування до параметрів правил GPO " "(Deny)InteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" @@ -813,268 +823,268 @@ msgstr "" "Назви служб PAM, які виконують прив’язування до параметрів правил GPO " "(Deny)RemoteInteractiveLogonRight" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" "Назви служб PAM, які виконують прив’язування до параметрів правил GPO " "(Deny)NetworkLogonRight" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" "Назви служб PAM, які виконують прив’язування до параметрів правил GPO " "(Deny)BatchLogonRight" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" "Назви служб PAM, які виконують прив’язування до параметрів правил GPO " "(Deny)ServiceLogonRight" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "Назви служб PAM, яким завжди надається доступ на основі GPO" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "Назви служб PAM, яким ніколи не надається доступ на основі GPO" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" "Типове правило входу (або допуск/заборона), яким слід користуватися для " "неприв’язаних назв служб PAM" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "певний сайт, який слід використовувати клієнту" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" "Максимальний вік пароля облікового запису комп'ютера, при досягненні якого " "пароль має бути оновлено" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" "Параметр налаштовування завдання оновлення облікових записів комп’ютерів" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Адреса сервера Kerberos" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "Адреса резервного сервера Kerberos" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "Область Kerberos" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "Час очікування на розпізнавання" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "Визначає, чи слід створювати файли kdcinfo" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "Місце, куди слід скидати фрагменти налаштувань krb5" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "Каталог, де зберігатиметься кеш реєстраційних даних" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "Адреса кешу реєстраційних даних користувача" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "Адреса таблиці ключів для перевірки реєстраційних даних" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "Увімкнути перевірку реєстраційних даних" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "Зберігати пароль у автономному режимі для розпізнавання у мережі" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "Поновлюваний строк дії TGT" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "Строк дії TGT" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "Граничний час між двома перевірками для поновлення" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "Вмикає FAST" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "Визначає реєстраційний запис, який слід використовувати для FAST" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "Вмикає перетворення реєстраційних записів у канонічну форму" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "Увімкнути промислові реєстраційні дані" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "Прив’язка імен користувачів до основних імен Kerberos" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" "Сервер, на якому запущено службу зміни паролів, якщо такий не вдасться " "виявити у KDC" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "ldap_uri, адреса URI сервера LDAP" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "ldap_backup_uri, адреса сервера LDAP" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "Типова базова назва домену" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "Тип схеми, використаний на сервері LDAP, rfc2307" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "Режим для зміни пароля користувача" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "Типова назва домену прив’язки" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "Тип розпізнавання для типової назви сервера прив’язки" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "Лексема розпізнавання типової назви сервера прив’язки" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "Проміжок часу між спробами встановлення з’єднання" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "Проміжок часу між спробами виконання синхронних операцій LDAP" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" "Проміжок часу між повторними спробами встановлення з’єднання у автономному " "режимі" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "Використовувати для назв областей лише великі літери" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "Файл, що містить сертифікати CA" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "Шлях до каталогу сертифікатів CA" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "Файл, що містить клієнтський сертифікат" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "Файл, що містить клієнтський ключ" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "Показати список можливих інструментів шифрування" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "Потрібна перевірка сертифіката TLS" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "Вкажіть механізм SASL, який слід використовувати" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "Вкажіть ідентифікатор уповноваження SASL, який слід використовувати" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "Вкажіть область уповноваження SASL, яку слід використовувати" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" "Вказати мінімальне значення SSF для розпізнавання на LDAP за допомогою sasl" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "Таблиця ключів служби Kerberos" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "Розпізнавання Kerberos для з’єднання LDAP" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "Переходити за посиланнями LDAP" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "Строк дії TGT для з’єднання LDAP" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "Спосіб розіменування псевдонімів" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "Назва служби для пошуків за допомогою служби DNS" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "Кількість записів, які слід отримувати у відповідь на один запит LDAP" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" "Кількість учасників, яких має не вистачати для вмикання повного скасування " "посилань" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" @@ -1082,390 +1092,390 @@ msgstr "" "Визначає, чи має бібліотека LDAP виконувати зворотній пошук з метою " "переведення назв вузлів у канонічну форму під час прив’язки до SASL" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "Атрибут entryUSN" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "Атрибут lastUSN" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "Тривалість підтримування з’єднання з сервером LDAP перед роз’єднанням" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "Вимкнути контроль сторінок у LDAP" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "Вимкнути отримання діапазонів Active Directory" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "Тривалість очікування на дані запиту пошуку" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "Тривалість очікування на дані запиту щодо переліку" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "Проміжок часу між оновленнями нумерації" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "Проміжок часу між спорожненнями кешу" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "Вимагати TLS для пошуків ідентифікаторів" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" "Використовувати відповідності ідентифікаторів objectSID замість попередньо " "встановлених ідентифікаторів" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "Базова назва домену для пошуків користувачів" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "Діапазон пошуків користувачів" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "Фільтр пошуку користувачів" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "Клас об’єктів для користувачів" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "Атрибут імені користувача" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "Атрибут UID" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "Головний атрибут GID" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "Атрибут GECOS" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "Атрибут домашнього каталогу" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "Атрибут оболонки" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "Атрибут UUID" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "Атрибут objectSID" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" "Атрибут основної групи Active Directory для встановлення відповідності " "ідентифікатора" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "Атрибут реєстраційного запису користувача (для Kerberos)" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "Повне ім'я" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "Атрибут memberOf" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "Атрибут часу зміни" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "Атрибут shadowLastChange" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "Атрибут shadowMin" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "Атрибут shadowMax" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "Атрибут shadowWarning" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "Атрибут shadowInactive" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "Атрибут shadowExpire" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "Атрибут shadowFlag" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "Атрибути зі списком уповноважених служб PAM" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "Атрибути зі списком уповноважених серверних вузлів" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "Атрибути зі списком уповноважених серверних r-вузлів" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "Атрибут krbLastPwdChange" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "Атрибут krbPasswordExpiration" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" "Атрибут, що відповідає за активізацію правил обробки паролів на боці сервера" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "Атрибут accountExpires AD" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "Атрибут userAccountControl AD" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "Атрибут nsAccountLock" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "Атрибут loginDisabled NDS" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "Атрибут loginExpirationTime NDS" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "Атрибут loginAllowedTimeMap NDS" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "Атрибут відкритого ключа SSH" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "атрибут зі списком дозволених типів розпізнавання для користувача" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "атрибут, що містить сертифікат X509 користувача" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "атрибут, що містить адресу електронної пошти користувача" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" "Список додаткових атрибутів, які слід отримувати разом із записом користувача" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "Базова назва домену для пошуків груп" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "Клас об’єктів для груп" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "Назва групи" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "Пароль групи" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "Атрибут GID" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "Атрибут членства у групі" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "Атрибут UUID групи" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "Атрибут часу зміни для груп" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "Тип групи та інші прапорці" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "Атрибут групи LDAP зовнішнього учасника" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "Максимальний рівень вкладеності, який використовуватиме SSSD" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "Базова назва домену для пошуків груп у мережі" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "Клас об’єктів для груп у мережі" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "Назва мережевої групи" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "Атрибут членства у групах у мережі" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "Атрибут трійки груп у мережі" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "Атрибут часу зміни для мережевих груп" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "Базова сервер назв домену для пошуку служб" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "Клас об’єктів для служб" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "Атрибут назви служби" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "Атрибут порту служби" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "Атрибут протоколу служби" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "Нижня межа встановлення відповідності ідентифікатора" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "Верхня межа встановлення відповідності ідентифікатора" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" "Кількість ідентифікаторів для кожного зрізу під час встановлення " "відповідності ідентифікаторів" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" "Використовувати для встановлення відповідності ідентифікаторів алгоритм, " "сумісний з autorid" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "Назва типового домену для встановлення відповідності ідентифікаторів" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "SID типового домену для встановлення відповідності ідентифікаторів" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "Кількість вторинних зрізів" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "Визначає, чи слід використовувати крупи реєстраційних записів" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "Встановити нижню межу для дозволених ідентифікаторів із сервера LDAP" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "Встановити верхню межу для дозволених ідентифікаторів із сервера LDAP" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "DN для запитів щодо ppolicy" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" "Максимальна кількість записів для отримання під час обробки запитів із " "замінниками" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "Правила оцінки завершення строку дії пароля" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" "Атрибути які слід використовувати для визначення чинності облікового запису" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" "Правила, які має бути використано для визначення достатності прав доступу" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "Адреса на сервері LDAP, для якої можливі зміни паролів" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "Адреса резервного сервера LDAP, для якої можливі зміни паролів" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "Назва у службі DNS сервера зміни паролів LDAP" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" @@ -1473,25 +1483,25 @@ msgstr "" "Визначає, чи слід оновлювати атрибут ldap_user_shadow_last_change після " "зміни пароля" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "Базова назва домену для пошуків правил sudo" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "Період автоматичного повного оновлення даних" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "Період автоматичного кмітливого оновлення даних" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" "Визначає, чи слід фільтрувати правила за назвами вузлів, IP-адресами та " "мережами" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" @@ -1499,226 +1509,230 @@ msgstr "" "Назви вузлів і/або повні назви у домені для цього комп’ютера для " "фільтрування списку правил sudo" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" "Адреси IPv4 або IPv6 чи мережа цього комп’ютера для фільтрування списку " "правил sudo" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" "Визначає, чи слід включати правила, що містять мережеву групу у атрибуті " "вузла" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" "Визначає, чи слід включати правила, що містять формальний вираз у атрибуті " "вузла" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "Клас об’єктів для правил sudo" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "Назва правила sudo" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "Атрибут команди правила sudo" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "Атрибут вузла правила sudo" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "Атрибут користувача правила sudo" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "Атрибут параметрів правила sudo" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "Атрибут runas правила sudo" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" "Атрибут користувача, від імені якого виконуватиметься запуск, правила sudo" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "Атрибут групи, від імені якої виконуватиметься запуск, правила sudo" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "Атрибут граничного часу початку дії правила sudo" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "Атрибут граничного часу завершення дії правила sudo" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "Атрибут порядку правила sudo" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "Клас об’єктів для карт автоматичного монтування" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "Атрибут назви карти автоматичного монтування" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "Клас об’єктів для записів карт автоматичного монтування" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "Атрибут ключа запису карти автоматичного монтування" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "Атрибут значення запису карти автоматичного монтування" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "Базовий сервер назв домену для пошуків карти автоматичного монтування" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "Відокремлений комами список дозволених користувачів" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "Відокремлений комами список заборонених користувачів" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "Типова оболонка, /bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "Базова адреса домашніх каталогів" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "Кількість попередньо відгалужених дочірніх проксі-записів." -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "Назва бібліотеки NSS, яку слід використовувати" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" "Визначає, чи слід виконувати пошук канонічної назви групи у кеші, якщо це " "можливо" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "Стек PAM, який слід використовувати" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "Шлях до початкового тексту файла passwd." -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "Шлях до початкового тексту файла group." -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "Запуститися фонову службу (типова поведінка)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "Запустити у інтерактивному режимі (без фонової служби)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "Вимкнути інтерфейс netlink" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "Вказати нетиповий файл налаштувань" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "Оновити налаштування бази даних, потім вийти" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "Подібний до --genconf, але оновлює дані лише вказаного розділу" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "Вивести номер версії і завершити роботу" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "SSSD вже запущено\n" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "Рівень зневаджування" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "Додавати діагностичні часові позначки" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "Показувати мікросекунди у часових позначках" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "Дескриптор відкритого файла для запису журналів діагностики" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "Надіслати діагностичну інформацію безпосередньо до stderr." -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "Користувач, від імені якого слід створити ccache FAST" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "Група, від імені якої слід створити ccache FAST" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "Область Kerberos, якою слід скористатися" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "Запитаний строк дії квитка" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "Запитаний час оновлення строку дії квитка" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "Параметри FAST ('never', 'try', 'demand')" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" "Визначає реєстраційний запис сервера, який слід використовувати для FAST" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "Вимагає перетворення реєстраційного запису у канонічну форму" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "Використовувати нетипову версію krb5_get_init_creds_password" @@ -1726,82 +1740,82 @@ msgstr "Використовувати нетипову версію krb5_get_in msgid "Domain of the information provider (mandatory)" msgstr "Домен надання відомостей (обов’язковий)" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "У привілейованого сокета помилковий власник або права доступу." -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "У відкритого сокета помилковий власник або права доступу." -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "Некоректний формат повідомлення щодо реєстраційних даних сервера." -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "SSSD запущено не від імені користувача root." -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "Сокета SSSD не існує." -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "Не вдалося отримати статистику щодо сокета SSSD." -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "Сталася помилка, але не вдалося знайти її опису." -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "Неочікувана помилка під час пошуку опису помилки" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "Відмовлено у доступі. " -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "Повідомлення сервера: " -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "Паролі не збігаються" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "Підтримки скидання пароля користувачем root не передбачено." -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "Розпізнано за реєстраційними даними з кешу" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ", строк дії вашого кешованого пароля завершиться: " -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "Строк дії вашого пароля вичерпано. Залишилося %1$d резервних входи." -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "Строк дії вашого пароля завершиться за %1$d %2$s." -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "Розпізнавання заборонено до: " -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "Система працює у автономному режимі, зміна пароля неможлива" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" @@ -1809,65 +1823,65 @@ msgstr "" "Після зміни пароля OTP вам слід вийти із системи і увійти до неї знову, щоб " "отримати про квиток" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "Спроба зміни пароля зазнала невдачі. " -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "Новий пароль: " -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "Ще раз введіть новий пароль: " -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "Перший фактор:" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "Другий фактор (необов'язковий): " -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "Другий фактор:" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "Пароль: " -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "Перший фактор (поточний пароль): " -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "Поточний пароль: " -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "Строк дії пароля вичерпано. Змініть ваш пароль." #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "Рівень діагностики під час запуску" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "Домен SSSD, який слід використовувати" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "Помилка під час спроби встановити локаль\n" @@ -1883,27 +1897,27 @@ msgstr "Не вказано користувача\n" msgid "Error looking up public keys\n" msgstr "Помилка під час спроби пошуку відкритих ключів\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "Порт, яким слід користуватися для встановлення з’єднань з вузлом" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "Вивести відкриті ключі SSH вузла" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "Некоректний порт.\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "Не вказано вузол\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "Має бути вказано абсолютний шлях до команди проксі-сервера\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "sss_ssh_knownhostsproxy: не вдалося визначити назву вузла %s\n" @@ -1955,21 +1969,21 @@ msgstr "Вкажіть користувача, запис якого слід д #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "Помилка ініціалізації інструментів: немає локального домену\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "Помилка ініціалізації інструментів\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "У FQDN вказано некоректний домен\n" @@ -1990,7 +2004,7 @@ msgstr "Групи мають належати до того самого дом msgid "Cannot find group %1$s in local domain\n" msgstr "Не вдалося знайти групу %1$s у локальному домені\n" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "Не вдалося встановити типові значення\n" @@ -2073,7 +2087,7 @@ msgstr "Група %1$s не належить визначеному діапа #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -2147,15 +2161,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "Помилка під час виконання операції Не вдалося змінити групу.\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Магічна приватна " + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "%1$s%2$sГрупа: %3$s\n" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "Магічна приватна " - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2204,74 +2218,74 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "Внутрішня помилка. Не вдалося вивести дані групи.\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "Вилучити домашній каталог і поштовий буфер" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "Не вилучати домашній каталог і поштовий буфер" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "Примусово вилучити файли, які не належать користувачеві" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "Припинити роботу процесів користувача перед вилученням його запису" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "Вкажіть користувача, запис якого слід вилучити\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" "Користувач %1$s не належить визначеному діапазону ідентифікаторів домену\n" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "Не вдалося відновити початковий контекст входу SELinux\n" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" "ПОПЕРЕДЖЕННЯ: користувач (uid %1$lu) все ще працював у системі на час " "вилучення його запису.\n" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" "Не вдалося визначити, чи увійшов користувач до системи на цій платформі" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "Помилка під час перевірки входу користувача до системи\n" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "Помилка команди, яку слід було виконати після вилучення запису: %1$s\n" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "Домашній каталог не буде вилучено. Він не належить користувачеві.\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "Не вдалося вилучити домашній каталог: %1$s\n" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" "У локальному домені немає такого користувача. Вилучення користувачів можливе " "лише у межах локального домену.\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "Внутрішня помилка Не вдалося вилучити запис користувача.\n" @@ -2359,71 +2373,71 @@ msgstr "Не вдалося скасувати чинність %1$s\n" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "Не вдалося скасувати чинність %1$s %2$s\n" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "Скасувати чинність усіх кешованих записів" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "Скасувати визначення певного користувача" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "Скасувати визначення всіх користувачів" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "Скасувати визначення певної групи" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "Скасувати визначення всіх груп" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "Скасувати визначення певної мережевої групи" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "Скасувати визначення всіх мережевих груп" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "Скасувати визначення певної служби" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "Скасувати визначення всіх служб" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "Скасувати визначення певну карту autofs" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "Скасувати визначення всіх карт autofs" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "Скасувати чинність певного вузла SSH" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "Скасувати чинність усіх вузлів SSH" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "Скасувати чинність певного правила sudo" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "Скасувати чинність усіх кешованих правил sudo" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "Скасувати визначення лише записів з певного домену" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" @@ -2431,12 +2445,12 @@ msgstr "" "Надано неочікувані аргументи. Параметри, які скасовують чинність окремого " "об'єкта вимагають лише одного наданого аргументу.\n" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" "Будь ласка, виберіть принаймні один об’єкт для скасовування відповідності\n" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " @@ -2445,7 +2459,7 @@ msgstr "" "Не вдалося відкрити домен %1$s. Якщо цей домен є піддоменом (довіреним " "доменом), скористайтеся повною назвою замість параметра --domain/-d.\n" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "Не вдалося відкрити доступні домени\n" @@ -2480,7 +2494,6 @@ msgid "Invalid result." msgstr "Некоректний результат." #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "Не вдалося прочитати вхідні дані користувача\n" @@ -2490,7 +2503,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "Некоректні вхідні дані, будь ласка, вкажіть «%s» або «%s».\n" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "Помилка під час спроби виконати зовнішню команду\n" @@ -2566,36 +2578,58 @@ msgstr "Час завершення строку дії груп ініціал msgid "Search by group ID" msgstr "Шукати за ідентифікатором групи" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 +#, fuzzy, c-format +msgid "Failed to open %s\n" +msgstr "Не вдалося обробити ім'я %s.\n" + +#: src/tools/sssctl/sssctl_config.c:75 +#, fuzzy, c-format +msgid "File %1$s does not exist.\n" +msgstr "Сокета SSSD не існує." + +#: src/tools/sssctl/sssctl_config.c:79 +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Не вдалося виконати перевірку прав власності і доступу до файлів. Мало бути " +"root:root і 0600.\n" + +#: src/tools/sssctl/sssctl_config.c:85 #, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +#, fuzzy msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " +"There is no configuration. SSSD will use default configuration with files " "provider.\n" msgstr "" "Файла %1$s не існує. SSSD використовуватиме типові налаштування для модуля " "надання даних щодо файлів.\n" -#: src/tools/sssctl/sssctl_config.c:81 -#, c-format -msgid "" -"File ownership and permissions check failed. Expected root:root and 0600.\n" +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" msgstr "" -"Не вдалося виконати перевірку прав власності і доступу до файлів. Мало бути " -"root:root і 0600.\n" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "Вади, які виявлено засобами перевірки: %zu\n" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "Повідомлення, створені під час об'єднування налаштувань: %zu\n" -#: src/tools/sssctl/sssctl_config.c:127 -#, c-format -msgid "Used configuration snippet files: %u\n" +#: src/tools/sssctl/sssctl_config.c:137 +#, fuzzy, c-format +msgid "Used configuration snippet files: %zu\n" msgstr "Використані файли фрагментів налаштувань: %u\n" #: src/tools/sssctl/sssctl_data.c:89 @@ -2609,12 +2643,10 @@ msgstr "" "Резервна копія SSSD для локальних даних вже існує. Хочете її перезаписати?" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "Не вдалося експортувати перевизначення користувача\n" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "Не вдалося експортувати перевизначення групи\n" @@ -2623,17 +2655,15 @@ msgid "Override existing backup" msgstr "Перевизначити наявну резервну копію" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "Не вдалося імпортувати перевизначення користувача\n" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "Не вдалося імпортувати перевизначення групи\n" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "Запустити SSSD, якщо його ще не запущено" @@ -2654,29 +2684,24 @@ msgid "Start SSSD when the cache is removed" msgstr "Запуск SSSD після вилучення кешу" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "Створюємо резервну копію локальних даних...\n" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" "Не вдалося створити резервну копію локальних даних, не вдалося вилучити " "кеш.\n" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "Вилучаємо файли кешу...\n" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "Не вдалося вилучити файли кешу\n" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "Відновлюємо локальні дані...\n" @@ -2685,18 +2710,12 @@ msgid "Show domain list including primary or trusted domain type" msgstr "" "Показати список доменів з включенням основних або довірених типів доменів" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" "Не вдалося встановити з'єднання із системним каналом передавання даних!\n" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "Стан з'єднання: %s\n" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "У мережі" @@ -2705,52 +2724,62 @@ msgstr "У мережі" msgid "Offline" msgstr "Поза мережею" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "Стан з'єднання: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:213 +#, fuzzy +msgid "This domain has no active servers.\n" +msgstr "Показати дані щодо активного сервера" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "Активні сервери:\n" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "не з’єднано" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "Виявлено сервери %s:\n" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "Поки немає.\n" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "Показати стан з'єднання" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "Показати дані щодо активного сервера" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "Показати список виявлених серверів" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "Вказати назву домену." -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "Не вистачає пам'яті\n" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "Не вдалося отримати стан з'єднання\n" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "Не вдалося отримати список серверів\n" @@ -2763,27 +2792,22 @@ msgid "Delete log files instead of truncating" msgstr "Вилучити файли журналу замість обрізання" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "Вилучаємо файли журналу...\n" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "Не вдалося вилучити файли журналу\n" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "Обрізаємо файли журналу...\n" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "Не вдалося обрізати файли журналу\n" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "Не вистачає пам'яті!" @@ -2793,7 +2817,6 @@ msgid "Archiving log files into %s...\n" msgstr "Архівуємо файли журналу до %s...\n" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "Не вдалося архівувати файли журналу\n" @@ -2802,7 +2825,6 @@ msgid "Specify debug level you want to set" msgstr "Вкажіть рівень діагностики, яким ви хочете скористатися" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "Результат пошуку користувача у InfoPipe SSSD:\n" @@ -2817,7 +2839,6 @@ msgid "dlsym failed with [%s].\n" msgstr "Помилка dlsym [%s].\n" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "Помилка malloc.\n" @@ -2827,7 +2848,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "помилка sss_getpwnam_r [%d].\n" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "Результат пошуку користувача у nss SSSD:\n" @@ -2890,23 +2910,22 @@ msgstr "" "служба: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "Не вдалося знайти користувача за допомогою [%s].\n" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "Не вдалося знайти користувача InfoPipe за допомогою [%s].\n" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "Помилка pam_start: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" @@ -2914,12 +2933,12 @@ msgstr "" "перевіряємо pam_authenticate\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "Помилка pam_get_item: %s\n" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" @@ -2928,8 +2947,7 @@ msgstr "" "pam_authenticate для користувача [%s]: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" @@ -2937,7 +2955,7 @@ msgstr "" "перевіряємо pam_chauthtok\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" @@ -2946,8 +2964,7 @@ msgstr "" "pam_chauthtok: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" @@ -2955,7 +2972,7 @@ msgstr "" "перевіряємо pam_acct_mgmt\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" @@ -2964,8 +2981,7 @@ msgstr "" "pam_acct_mgmt: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" @@ -2973,7 +2989,7 @@ msgstr "" "перевіряємо pam_setcred\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" @@ -2982,8 +2998,7 @@ msgstr "" "pam_setcred: [%s]\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" @@ -2991,7 +3006,7 @@ msgstr "" "перевіряємо pam_open_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" @@ -3000,8 +3015,7 @@ msgstr "" "pam_open_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" @@ -3009,7 +3023,7 @@ msgstr "" "перевіряємо pam_close_session\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" @@ -3018,18 +3032,15 @@ msgstr "" "pam_close_session: %s\n" "\n" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "невідома дія\n" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "Середовище PAM:\n" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr " - немає середовища -\n" diff --git a/po/zh_CN.po b/po/zh_CN.po index 116843080b6..b040b435060 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:50+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/" @@ -78,12 +78,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -297,1280 +297,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA 服务器地址" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "IPA 备份服务器地址" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Kerberos 服务器地址" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "验证超时" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1578,146 +1592,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr "" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "" @@ -1733,27 +1747,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "无效端口\n" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1805,21 +1819,21 @@ msgstr "" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "" @@ -1840,7 +1854,7 @@ msgstr "" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "" @@ -1917,7 +1931,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1979,15 +1993,15 @@ msgstr "" msgid "Transaction error. Could not modify group.\n" msgstr "" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2030,68 +2044,68 @@ msgstr "" msgid "Internal error. Could not print group.\n" msgstr "" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "" @@ -2170,88 +2184,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2286,7 +2300,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2296,7 +2309,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2372,32 +2384,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2410,12 +2443,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2424,17 +2455,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2455,27 +2484,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2483,17 +2507,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2502,52 +2520,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2560,27 +2587,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2590,7 +2612,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2599,7 +2620,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2614,7 +2634,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2624,7 +2643,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2681,122 +2699,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/po/zh_TW.po b/po/zh_TW.po index 8b755aa41fc..12a6f8a9702 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" -"POT-Creation-Date: 2019-09-12 02:51+0200\n" +"POT-Creation-Date: 2019-11-30 22:24+0100\n" "PO-Revision-Date: 2014-12-14 11:50+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/sssd/" @@ -77,12 +77,12 @@ msgid "Timeout for messages sent over the SBUS" msgstr "" #: src/config/SSSDConfig/__init__.py.in:60 -#: src/config/SSSDConfig/__init__.py.in:201 +#: src/config/SSSDConfig/__init__.py.in:203 msgid "Regex to parse username and domain" msgstr "用來解析使用者名稱與網域的正規表示式" #: src/config/SSSDConfig/__init__.py.in:61 -#: src/config/SSSDConfig/__init__.py.in:200 +#: src/config/SSSDConfig/__init__.py.in:202 msgid "Printf-compatible format for displaying fully-qualified names" msgstr "" @@ -296,1280 +296,1294 @@ msgstr "" msgid "Path to storage of trusted CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:124 +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "Allow to generate ssh-keys from certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:123 +msgid "" +"Use the following matching rules to filter the certificates for ssh-key " +"generation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 msgid "List of UIDs or user names allowed to access the PAC responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:125 +#: src/config/SSSDConfig/__init__.py.in:127 msgid "How long the PAC data is considered valid" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:128 +#: src/config/SSSDConfig/__init__.py.in:130 msgid "List of UIDs or user names allowed to access the InfoPipe responder" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:129 +#: src/config/SSSDConfig/__init__.py.in:131 msgid "List of user attributes the InfoPipe is allowed to publish" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:132 +#: src/config/SSSDConfig/__init__.py.in:134 msgid "The provider where the secrets will be stored in" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:133 +#: src/config/SSSDConfig/__init__.py.in:135 msgid "The maximum allowed number of nested containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:134 +#: src/config/SSSDConfig/__init__.py.in:136 msgid "The maximum number of secrets that can be stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:135 +#: src/config/SSSDConfig/__init__.py.in:137 msgid "The maximum number of secrets that can be stored per UID" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:136 +#: src/config/SSSDConfig/__init__.py.in:138 msgid "The maximum payload size of a secret in kilobytes" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:138 +#: src/config/SSSDConfig/__init__.py.in:140 msgid "The URL Custodia server is listening on" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:139 +#: src/config/SSSDConfig/__init__.py.in:141 msgid "The method to use when authenticating to a Custodia server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:140 +#: src/config/SSSDConfig/__init__.py.in:142 msgid "" "The name of the headers that will be added into a HTTP request with the " "value defined in auth_header_value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:141 +#: src/config/SSSDConfig/__init__.py.in:143 msgid "The value sssd-secrets would use for auth_header_name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:142 +#: src/config/SSSDConfig/__init__.py.in:144 msgid "" "The list of the headers to forward to the Custodia server together with the " "request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:143 +#: src/config/SSSDConfig/__init__.py.in:145 msgid "" "The username to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:144 +#: src/config/SSSDConfig/__init__.py.in:146 msgid "" "The password to use when authenticating to a Custodia server using basic_auth" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:145 +#: src/config/SSSDConfig/__init__.py.in:147 msgid "If true peer's certificate is verified if proxy_url uses https protocol" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:146 +#: src/config/SSSDConfig/__init__.py.in:148 msgid "" "If false peer's certificate may contain different hostname than proxy_url " "when https protocol is used" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:147 +#: src/config/SSSDConfig/__init__.py.in:149 msgid "Path to directory where certificate authority certificates are stored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:148 +#: src/config/SSSDConfig/__init__.py.in:150 msgid "Path to file containing server's CA certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:149 +#: src/config/SSSDConfig/__init__.py.in:151 msgid "Path to file containing client's certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:150 +#: src/config/SSSDConfig/__init__.py.in:152 msgid "Path to file containing client's private key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:153 +#: src/config/SSSDConfig/__init__.py.in:155 msgid "Identity provider" msgstr "身分提供者" -#: src/config/SSSDConfig/__init__.py.in:154 +#: src/config/SSSDConfig/__init__.py.in:156 msgid "Authentication provider" msgstr "認證提供者" -#: src/config/SSSDConfig/__init__.py.in:155 +#: src/config/SSSDConfig/__init__.py.in:157 msgid "Access control provider" msgstr "存取控制提供者" -#: src/config/SSSDConfig/__init__.py.in:156 +#: src/config/SSSDConfig/__init__.py.in:158 msgid "Password change provider" msgstr "密碼變更提供者" -#: src/config/SSSDConfig/__init__.py.in:157 +#: src/config/SSSDConfig/__init__.py.in:159 msgid "SUDO provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:158 +#: src/config/SSSDConfig/__init__.py.in:160 msgid "Autofs provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:159 +#: src/config/SSSDConfig/__init__.py.in:161 msgid "Host identity provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:160 +#: src/config/SSSDConfig/__init__.py.in:162 msgid "SELinux provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:161 +#: src/config/SSSDConfig/__init__.py.in:163 msgid "Session management provider" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:164 +#: src/config/SSSDConfig/__init__.py.in:166 msgid "Whether the domain is usable by the OS or by applications" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:165 +#: src/config/SSSDConfig/__init__.py.in:167 msgid "Minimum user ID" msgstr "最小的使用者 ID" -#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:168 msgid "Maximum user ID" msgstr "最大的使用者 ID" -#: src/config/SSSDConfig/__init__.py.in:167 +#: src/config/SSSDConfig/__init__.py.in:169 msgid "Enable enumerating all users/groups" msgstr "啟用所有使用者或群組的列舉" -#: src/config/SSSDConfig/__init__.py.in:168 +#: src/config/SSSDConfig/__init__.py.in:170 msgid "Cache credentials for offline login" msgstr "供離線登入使用的快取憑證" -#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:171 msgid "Display users/groups in fully-qualified form" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:170 +#: src/config/SSSDConfig/__init__.py.in:172 msgid "Don't include group members in group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:171 -#: src/config/SSSDConfig/__init__.py.in:180 -#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:173 #: src/config/SSSDConfig/__init__.py.in:182 #: src/config/SSSDConfig/__init__.py.in:183 #: src/config/SSSDConfig/__init__.py.in:184 #: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:187 msgid "Entry cache timeout length (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:172 +#: src/config/SSSDConfig/__init__.py.in:174 msgid "" "Restrict or prefer a specific address family when performing DNS lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:175 msgid "How long to keep cached entries after last successful login (days)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:176 msgid "" "How long should SSSD talk to single DNS server before trying next server " "(miliseconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:177 msgid "How long should keep trying to resolve single DNS query (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:178 msgid "How long to wait for replies from DNS when resolving servers (seconds)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:179 msgid "The domain part of service discovery DNS query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:180 msgid "Override GID value from the identity provider with this value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:181 msgid "Treat usernames as case sensitive" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:186 +#: src/config/SSSDConfig/__init__.py.in:188 msgid "How often should expired entries be refreshed in background" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:187 +#: src/config/SSSDConfig/__init__.py.in:189 msgid "Whether to automatically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:188 -#: src/config/SSSDConfig/__init__.py.in:210 +#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:212 msgid "The TTL to apply to the client's DNS entry after updating it" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:189 -#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:213 msgid "The interface whose IP should be used for dynamic DNS updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:190 +#: src/config/SSSDConfig/__init__.py.in:192 msgid "How often to periodically update the client's DNS entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:191 +#: src/config/SSSDConfig/__init__.py.in:193 msgid "Whether the provider should explicitly update the PTR record as well" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:192 +#: src/config/SSSDConfig/__init__.py.in:194 msgid "Whether the nsupdate utility should default to using TCP" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:193 +#: src/config/SSSDConfig/__init__.py.in:195 msgid "What kind of authentication should be used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:194 +#: src/config/SSSDConfig/__init__.py.in:196 msgid "Override the DNS server used to perform the DNS update" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:195 +#: src/config/SSSDConfig/__init__.py.in:197 msgid "Control enumeration of trusted domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:196 +#: src/config/SSSDConfig/__init__.py.in:198 msgid "How often should subdomains list be refreshed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:197 +#: src/config/SSSDConfig/__init__.py.in:199 msgid "List of options that should be inherited into a subdomain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:198 +#: src/config/SSSDConfig/__init__.py.in:200 msgid "Default subdomain homedir value" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:199 +#: src/config/SSSDConfig/__init__.py.in:201 msgid "How long can cached credentials be used for cached authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:202 +#: src/config/SSSDConfig/__init__.py.in:204 msgid "Whether to automatically create private groups for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:205 +#: src/config/SSSDConfig/__init__.py.in:207 msgid "IPA domain" msgstr "IPA 網域" -#: src/config/SSSDConfig/__init__.py.in:206 +#: src/config/SSSDConfig/__init__.py.in:208 msgid "IPA server address" msgstr "IPA 伺服器位址" -#: src/config/SSSDConfig/__init__.py.in:207 +#: src/config/SSSDConfig/__init__.py.in:209 msgid "Address of backup IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:208 +#: src/config/SSSDConfig/__init__.py.in:210 msgid "IPA client hostname" msgstr "IPA 客戶端主機名稱" -#: src/config/SSSDConfig/__init__.py.in:209 +#: src/config/SSSDConfig/__init__.py.in:211 msgid "Whether to automatically update the client's DNS entry in FreeIPA" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:212 +#: src/config/SSSDConfig/__init__.py.in:214 msgid "Search base for HBAC related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:213 +#: src/config/SSSDConfig/__init__.py.in:215 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:214 +#: src/config/SSSDConfig/__init__.py.in:216 msgid "" "The amount of time in seconds between lookups of the SELinux maps against " "the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:217 msgid "If set to false, host argument given by PAM will be ignored" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:216 +#: src/config/SSSDConfig/__init__.py.in:218 msgid "The automounter location this IPA client is using" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:217 +#: src/config/SSSDConfig/__init__.py.in:219 msgid "Search base for object containing info about IPA domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:218 +#: src/config/SSSDConfig/__init__.py.in:220 msgid "Search base for objects containing info about ID ranges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:219 -#: src/config/SSSDConfig/__init__.py.in:237 +#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:239 msgid "Enable DNS sites - location based service discovery" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:220 +#: src/config/SSSDConfig/__init__.py.in:222 msgid "Search base for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:221 +#: src/config/SSSDConfig/__init__.py.in:223 msgid "Objectclass for view containers" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:222 +#: src/config/SSSDConfig/__init__.py.in:224 msgid "Attribute with the name of the view" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:223 +#: src/config/SSSDConfig/__init__.py.in:225 msgid "Objectclass for override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:224 +#: src/config/SSSDConfig/__init__.py.in:226 msgid "Attribute with the reference to the original object" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:225 +#: src/config/SSSDConfig/__init__.py.in:227 msgid "Objectclass for user override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:226 +#: src/config/SSSDConfig/__init__.py.in:228 msgid "Objectclass for group override objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:229 msgid "Search base for Desktop Profile related objects" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:228 +#: src/config/SSSDConfig/__init__.py.in:230 msgid "" "The amount of time in seconds between lookups of the Desktop Profile rules " "against the IPA server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:229 +#: src/config/SSSDConfig/__init__.py.in:231 msgid "" "The amount of time in minutes between lookups of Desktop Profiles rules " "against the IPA server when the last request did not find any rule" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:232 +#: src/config/SSSDConfig/__init__.py.in:234 msgid "Active Directory domain" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:233 +#: src/config/SSSDConfig/__init__.py.in:235 msgid "Enabled Active Directory domains" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:236 msgid "Active Directory server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:235 +#: src/config/SSSDConfig/__init__.py.in:237 msgid "Active Directory backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:236 +#: src/config/SSSDConfig/__init__.py.in:238 msgid "Active Directory client hostname" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:238 -#: src/config/SSSDConfig/__init__.py.in:423 +#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:425 msgid "LDAP filter to determine access privileges" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:239 +#: src/config/SSSDConfig/__init__.py.in:241 msgid "Whether to use the Global Catalog for lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:240 +#: src/config/SSSDConfig/__init__.py.in:242 msgid "Operation mode for GPO-based access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:241 +#: src/config/SSSDConfig/__init__.py.in:243 msgid "" "The amount of time between lookups of the GPO policy files against the AD " "server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:242 +#: src/config/SSSDConfig/__init__.py.in:244 msgid "" "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " "settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:243 +#: src/config/SSSDConfig/__init__.py.in:245 msgid "" "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " "policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:246 msgid "" "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:245 +#: src/config/SSSDConfig/__init__.py.in:247 msgid "" "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:246 +#: src/config/SSSDConfig/__init__.py.in:248 msgid "" "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:247 +#: src/config/SSSDConfig/__init__.py.in:249 msgid "PAM service names for which GPO-based access is always granted" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:248 +#: src/config/SSSDConfig/__init__.py.in:250 msgid "PAM service names for which GPO-based access is always denied" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:249 +#: src/config/SSSDConfig/__init__.py.in:251 msgid "" "Default logon right (or permit/deny) to use for unmapped PAM service names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:250 +#: src/config/SSSDConfig/__init__.py.in:252 msgid "a particular site to be used by the client" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:253 msgid "" "Maximum age in days before the machine account password should be renewed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:252 +#: src/config/SSSDConfig/__init__.py.in:254 msgid "Option for tuning the machine account renewal task" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:255 -#: src/config/SSSDConfig/__init__.py.in:256 +#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:258 msgid "Kerberos server address" msgstr "Kerberos 伺服器位址" -#: src/config/SSSDConfig/__init__.py.in:257 +#: src/config/SSSDConfig/__init__.py.in:259 msgid "Kerberos backup server address" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:258 +#: src/config/SSSDConfig/__init__.py.in:260 msgid "Kerberos realm" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:259 +#: src/config/SSSDConfig/__init__.py.in:261 msgid "Authentication timeout" msgstr "認證逾時" -#: src/config/SSSDConfig/__init__.py.in:260 +#: src/config/SSSDConfig/__init__.py.in:262 msgid "Whether to create kdcinfo files" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:261 +#: src/config/SSSDConfig/__init__.py.in:263 msgid "Where to drop krb5 config snippets" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:264 +#: src/config/SSSDConfig/__init__.py.in:266 msgid "Directory to store credential caches" msgstr "儲存憑證快取的目錄" -#: src/config/SSSDConfig/__init__.py.in:265 +#: src/config/SSSDConfig/__init__.py.in:267 msgid "Location of the user's credential cache" msgstr "使用者憑證快取的位置" -#: src/config/SSSDConfig/__init__.py.in:266 +#: src/config/SSSDConfig/__init__.py.in:268 msgid "Location of the keytab to validate credentials" msgstr "驗證憑證用的金鑰表格位置" -#: src/config/SSSDConfig/__init__.py.in:267 +#: src/config/SSSDConfig/__init__.py.in:269 msgid "Enable credential validation" msgstr "啟用憑證驗證" -#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:270 msgid "Store password if offline for later online authentication" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:269 +#: src/config/SSSDConfig/__init__.py.in:271 msgid "Renewable lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:270 +#: src/config/SSSDConfig/__init__.py.in:272 msgid "Lifetime of the TGT" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:271 +#: src/config/SSSDConfig/__init__.py.in:273 msgid "Time between two checks for renewal" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:272 +#: src/config/SSSDConfig/__init__.py.in:274 msgid "Enables FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:273 +#: src/config/SSSDConfig/__init__.py.in:275 msgid "Selects the principal to use for FAST" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:274 +#: src/config/SSSDConfig/__init__.py.in:276 msgid "Enables principal canonicalization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:277 msgid "Enables enterprise principals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:276 +#: src/config/SSSDConfig/__init__.py.in:278 msgid "A mapping from user names to Kerberos principal names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:279 -#: src/config/SSSDConfig/__init__.py.in:280 +#: src/config/SSSDConfig/__init__.py.in:281 +#: src/config/SSSDConfig/__init__.py.in:282 msgid "Server where the change password service is running if not on the KDC" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:283 +#: src/config/SSSDConfig/__init__.py.in:285 msgid "ldap_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:284 +#: src/config/SSSDConfig/__init__.py.in:286 msgid "ldap_backup_uri, The URI of the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:285 +#: src/config/SSSDConfig/__init__.py.in:287 msgid "The default base DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:286 +#: src/config/SSSDConfig/__init__.py.in:288 msgid "The Schema Type in use on the LDAP server, rfc2307" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:287 +#: src/config/SSSDConfig/__init__.py.in:289 msgid "Mode used to change user password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:288 +#: src/config/SSSDConfig/__init__.py.in:290 msgid "The default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:289 +#: src/config/SSSDConfig/__init__.py.in:291 msgid "The type of the authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:290 +#: src/config/SSSDConfig/__init__.py.in:292 msgid "The authentication token of the default bind DN" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:291 +#: src/config/SSSDConfig/__init__.py.in:293 msgid "Length of time to attempt connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:292 +#: src/config/SSSDConfig/__init__.py.in:294 msgid "Length of time to attempt synchronous LDAP operations" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:293 +#: src/config/SSSDConfig/__init__.py.in:295 msgid "Length of time between attempts to reconnect while offline" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:294 +#: src/config/SSSDConfig/__init__.py.in:296 msgid "Use only the upper case for realm names" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:295 +#: src/config/SSSDConfig/__init__.py.in:297 msgid "File that contains CA certificates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:296 +#: src/config/SSSDConfig/__init__.py.in:298 msgid "Path to CA certificate directory" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:297 +#: src/config/SSSDConfig/__init__.py.in:299 msgid "File that contains the client certificate" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:298 +#: src/config/SSSDConfig/__init__.py.in:300 msgid "File that contains the client key" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:299 +#: src/config/SSSDConfig/__init__.py.in:301 msgid "List of possible ciphers suites" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:300 +#: src/config/SSSDConfig/__init__.py.in:302 msgid "Require TLS certificate verification" msgstr "需要 TLS 憑證驗證" -#: src/config/SSSDConfig/__init__.py.in:301 +#: src/config/SSSDConfig/__init__.py.in:303 msgid "Specify the sasl mechanism to use" msgstr "指定要使用的 sasl 機制" -#: src/config/SSSDConfig/__init__.py.in:302 +#: src/config/SSSDConfig/__init__.py.in:304 msgid "Specify the sasl authorization id to use" msgstr "指定要使用的 sasl 認證 id" -#: src/config/SSSDConfig/__init__.py.in:303 +#: src/config/SSSDConfig/__init__.py.in:305 msgid "Specify the sasl authorization realm to use" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:304 +#: src/config/SSSDConfig/__init__.py.in:306 msgid "Specify the minimal SSF for LDAP sasl authorization" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:305 +#: src/config/SSSDConfig/__init__.py.in:307 msgid "Kerberos service keytab" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:306 +#: src/config/SSSDConfig/__init__.py.in:308 msgid "Use Kerberos auth for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:307 +#: src/config/SSSDConfig/__init__.py.in:309 msgid "Follow LDAP referrals" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:308 +#: src/config/SSSDConfig/__init__.py.in:310 msgid "Lifetime of TGT for LDAP connection" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:309 +#: src/config/SSSDConfig/__init__.py.in:311 msgid "How to dereference aliases" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:310 +#: src/config/SSSDConfig/__init__.py.in:312 msgid "Service name for DNS service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:311 +#: src/config/SSSDConfig/__init__.py.in:313 msgid "The number of records to retrieve in a single LDAP query" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:312 +#: src/config/SSSDConfig/__init__.py.in:314 msgid "The number of members that must be missing to trigger a full deref" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:313 +#: src/config/SSSDConfig/__init__.py.in:315 msgid "" "Whether the LDAP library should perform a reverse lookup to canonicalize the " "host name during a SASL bind" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:315 +#: src/config/SSSDConfig/__init__.py.in:317 msgid "entryUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:316 +#: src/config/SSSDConfig/__init__.py.in:318 msgid "lastUSN attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:318 +#: src/config/SSSDConfig/__init__.py.in:320 msgid "How long to retain a connection to the LDAP server before disconnecting" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:320 +#: src/config/SSSDConfig/__init__.py.in:322 msgid "Disable the LDAP paging control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:321 +#: src/config/SSSDConfig/__init__.py.in:323 msgid "Disable Active Directory range retrieval" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:324 +#: src/config/SSSDConfig/__init__.py.in:326 msgid "Length of time to wait for a search request" msgstr "搜尋請求的等候時間長度" -#: src/config/SSSDConfig/__init__.py.in:325 +#: src/config/SSSDConfig/__init__.py.in:327 msgid "Length of time to wait for a enumeration request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:326 +#: src/config/SSSDConfig/__init__.py.in:328 msgid "Length of time between enumeration updates" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:327 +#: src/config/SSSDConfig/__init__.py.in:329 msgid "Length of time between cache cleanups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:328 +#: src/config/SSSDConfig/__init__.py.in:330 msgid "Require TLS for ID lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:329 +#: src/config/SSSDConfig/__init__.py.in:331 msgid "Use ID-mapping of objectSID instead of pre-set IDs" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:332 msgid "Base DN for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:331 +#: src/config/SSSDConfig/__init__.py.in:333 msgid "Scope of user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:332 +#: src/config/SSSDConfig/__init__.py.in:334 msgid "Filter for user lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:333 +#: src/config/SSSDConfig/__init__.py.in:335 msgid "Objectclass for users" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:334 +#: src/config/SSSDConfig/__init__.py.in:336 msgid "Username attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:336 +#: src/config/SSSDConfig/__init__.py.in:338 msgid "UID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:339 msgid "Primary GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:338 +#: src/config/SSSDConfig/__init__.py.in:340 msgid "GECOS attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:339 +#: src/config/SSSDConfig/__init__.py.in:341 msgid "Home directory attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:340 +#: src/config/SSSDConfig/__init__.py.in:342 msgid "Shell attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:341 +#: src/config/SSSDConfig/__init__.py.in:343 msgid "UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:342 -#: src/config/SSSDConfig/__init__.py.in:384 +#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:386 msgid "objectSID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:343 +#: src/config/SSSDConfig/__init__.py.in:345 msgid "Active Directory primary group attribute for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:344 +#: src/config/SSSDConfig/__init__.py.in:346 msgid "User principal attribute (for Kerberos)" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:345 +#: src/config/SSSDConfig/__init__.py.in:347 msgid "Full Name" msgstr "全名" -#: src/config/SSSDConfig/__init__.py.in:346 +#: src/config/SSSDConfig/__init__.py.in:348 msgid "memberOf attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:347 +#: src/config/SSSDConfig/__init__.py.in:349 msgid "Modification time attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:349 +#: src/config/SSSDConfig/__init__.py.in:351 msgid "shadowLastChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:350 +#: src/config/SSSDConfig/__init__.py.in:352 msgid "shadowMin attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:351 +#: src/config/SSSDConfig/__init__.py.in:353 msgid "shadowMax attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:352 +#: src/config/SSSDConfig/__init__.py.in:354 msgid "shadowWarning attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:353 +#: src/config/SSSDConfig/__init__.py.in:355 msgid "shadowInactive attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:354 +#: src/config/SSSDConfig/__init__.py.in:356 msgid "shadowExpire attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:355 +#: src/config/SSSDConfig/__init__.py.in:357 msgid "shadowFlag attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:356 +#: src/config/SSSDConfig/__init__.py.in:358 msgid "Attribute listing authorized PAM services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:357 +#: src/config/SSSDConfig/__init__.py.in:359 msgid "Attribute listing authorized server hosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:358 +#: src/config/SSSDConfig/__init__.py.in:360 msgid "Attribute listing authorized server rhosts" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:359 +#: src/config/SSSDConfig/__init__.py.in:361 msgid "krbLastPwdChange attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:360 +#: src/config/SSSDConfig/__init__.py.in:362 msgid "krbPasswordExpiration attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:361 +#: src/config/SSSDConfig/__init__.py.in:363 msgid "Attribute indicating that server side password policies are active" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:362 +#: src/config/SSSDConfig/__init__.py.in:364 msgid "accountExpires attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:363 +#: src/config/SSSDConfig/__init__.py.in:365 msgid "userAccountControl attribute of AD" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:364 +#: src/config/SSSDConfig/__init__.py.in:366 msgid "nsAccountLock attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:365 +#: src/config/SSSDConfig/__init__.py.in:367 msgid "loginDisabled attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:366 +#: src/config/SSSDConfig/__init__.py.in:368 msgid "loginExpirationTime attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:367 +#: src/config/SSSDConfig/__init__.py.in:369 msgid "loginAllowedTimeMap attribute of NDS" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:368 +#: src/config/SSSDConfig/__init__.py.in:370 msgid "SSH public key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:369 +#: src/config/SSSDConfig/__init__.py.in:371 msgid "attribute listing allowed authentication types for a user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:370 +#: src/config/SSSDConfig/__init__.py.in:372 msgid "attribute containing the X509 certificate of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:371 +#: src/config/SSSDConfig/__init__.py.in:373 msgid "attribute containing the email address of the user" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:373 +#: src/config/SSSDConfig/__init__.py.in:375 msgid "A list of extra attributes to download along with the user entry" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:375 +#: src/config/SSSDConfig/__init__.py.in:377 msgid "Base DN for group lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:378 +#: src/config/SSSDConfig/__init__.py.in:380 msgid "Objectclass for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:379 +#: src/config/SSSDConfig/__init__.py.in:381 msgid "Group name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:380 +#: src/config/SSSDConfig/__init__.py.in:382 msgid "Group password" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:381 +#: src/config/SSSDConfig/__init__.py.in:383 msgid "GID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:382 +#: src/config/SSSDConfig/__init__.py.in:384 msgid "Group member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:383 +#: src/config/SSSDConfig/__init__.py.in:385 msgid "Group UUID attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:385 +#: src/config/SSSDConfig/__init__.py.in:387 msgid "Modification time attribute for groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:386 +#: src/config/SSSDConfig/__init__.py.in:388 msgid "Type of the group and other flags" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:387 +#: src/config/SSSDConfig/__init__.py.in:389 msgid "The LDAP group external member attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:389 +#: src/config/SSSDConfig/__init__.py.in:391 msgid "Maximum nesting level SSSD will follow" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:391 +#: src/config/SSSDConfig/__init__.py.in:393 msgid "Base DN for netgroup lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:392 +#: src/config/SSSDConfig/__init__.py.in:394 msgid "Objectclass for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:393 +#: src/config/SSSDConfig/__init__.py.in:395 msgid "Netgroup name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:394 +#: src/config/SSSDConfig/__init__.py.in:396 msgid "Netgroups members attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:395 +#: src/config/SSSDConfig/__init__.py.in:397 msgid "Netgroup triple attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:396 +#: src/config/SSSDConfig/__init__.py.in:398 msgid "Modification time attribute for netgroups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:398 +#: src/config/SSSDConfig/__init__.py.in:400 msgid "Base DN for service lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:399 +#: src/config/SSSDConfig/__init__.py.in:401 msgid "Objectclass for services" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:400 +#: src/config/SSSDConfig/__init__.py.in:402 msgid "Service name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:401 +#: src/config/SSSDConfig/__init__.py.in:403 msgid "Service port attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:402 +#: src/config/SSSDConfig/__init__.py.in:404 msgid "Service protocol attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:405 +#: src/config/SSSDConfig/__init__.py.in:407 msgid "Lower bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:406 +#: src/config/SSSDConfig/__init__.py.in:408 msgid "Upper bound for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:407 +#: src/config/SSSDConfig/__init__.py.in:409 msgid "Number of IDs for each slice when ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:408 +#: src/config/SSSDConfig/__init__.py.in:410 msgid "Use autorid-compatible algorithm for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:409 +#: src/config/SSSDConfig/__init__.py.in:411 msgid "Name of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:410 +#: src/config/SSSDConfig/__init__.py.in:412 msgid "SID of the default domain for ID-mapping" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:411 +#: src/config/SSSDConfig/__init__.py.in:413 msgid "Number of secondary slices" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:413 +#: src/config/SSSDConfig/__init__.py.in:415 msgid "Whether to use Token-Groups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:414 +#: src/config/SSSDConfig/__init__.py.in:416 msgid "Set lower boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:415 +#: src/config/SSSDConfig/__init__.py.in:417 msgid "Set upper boundary for allowed IDs from the LDAP server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:416 +#: src/config/SSSDConfig/__init__.py.in:418 msgid "DN for ppolicy queries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:417 +#: src/config/SSSDConfig/__init__.py.in:419 msgid "How many maximum entries to fetch during a wildcard request" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:420 +#: src/config/SSSDConfig/__init__.py.in:422 msgid "Policy to evaluate the password expiration" msgstr "評估密碼過期時效的策略" -#: src/config/SSSDConfig/__init__.py.in:424 +#: src/config/SSSDConfig/__init__.py.in:426 msgid "Which attributes shall be used to evaluate if an account is expired" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:425 +#: src/config/SSSDConfig/__init__.py.in:427 msgid "Which rules should be used to evaluate access control" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:428 +#: src/config/SSSDConfig/__init__.py.in:430 msgid "URI of an LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:429 +#: src/config/SSSDConfig/__init__.py.in:431 msgid "URI of a backup LDAP server where password changes are allowed" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:430 +#: src/config/SSSDConfig/__init__.py.in:432 msgid "DNS service name for LDAP password change server" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:431 +#: src/config/SSSDConfig/__init__.py.in:433 msgid "" "Whether to update the ldap_user_shadow_last_change attribute after a " "password change" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:434 +#: src/config/SSSDConfig/__init__.py.in:436 msgid "Base DN for sudo rules lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:435 +#: src/config/SSSDConfig/__init__.py.in:437 msgid "Automatic full refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:436 +#: src/config/SSSDConfig/__init__.py.in:438 msgid "Automatic smart refresh period" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:437 +#: src/config/SSSDConfig/__init__.py.in:439 msgid "Whether to filter rules by hostname, IP addresses and network" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:438 +#: src/config/SSSDConfig/__init__.py.in:440 msgid "" "Hostnames and/or fully qualified domain names of this machine to filter sudo " "rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:439 +#: src/config/SSSDConfig/__init__.py.in:441 msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:440 +#: src/config/SSSDConfig/__init__.py.in:442 msgid "Whether to include rules that contains netgroup in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:441 +#: src/config/SSSDConfig/__init__.py.in:443 msgid "" "Whether to include rules that contains regular expression in host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:442 +#: src/config/SSSDConfig/__init__.py.in:444 msgid "Object class for sudo rules" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:443 +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Name of attribute that is used as object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 msgid "Sudo rule name" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:444 +#: src/config/SSSDConfig/__init__.py.in:447 msgid "Sudo rule command attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:445 +#: src/config/SSSDConfig/__init__.py.in:448 msgid "Sudo rule host attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:446 +#: src/config/SSSDConfig/__init__.py.in:449 msgid "Sudo rule user attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:447 +#: src/config/SSSDConfig/__init__.py.in:450 msgid "Sudo rule option attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:448 +#: src/config/SSSDConfig/__init__.py.in:451 msgid "Sudo rule runas attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:449 +#: src/config/SSSDConfig/__init__.py.in:452 msgid "Sudo rule runasuser attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:450 +#: src/config/SSSDConfig/__init__.py.in:453 msgid "Sudo rule runasgroup attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:451 +#: src/config/SSSDConfig/__init__.py.in:454 msgid "Sudo rule notbefore attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:452 +#: src/config/SSSDConfig/__init__.py.in:455 msgid "Sudo rule notafter attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:453 +#: src/config/SSSDConfig/__init__.py.in:456 msgid "Sudo rule order attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:456 +#: src/config/SSSDConfig/__init__.py.in:459 msgid "Object class for automounter maps" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:457 +#: src/config/SSSDConfig/__init__.py.in:460 msgid "Automounter map name attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:458 +#: src/config/SSSDConfig/__init__.py.in:461 msgid "Object class for automounter map entries" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:459 +#: src/config/SSSDConfig/__init__.py.in:462 msgid "Automounter map entry key attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:460 +#: src/config/SSSDConfig/__init__.py.in:463 msgid "Automounter map entry value attribute" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:461 +#: src/config/SSSDConfig/__init__.py.in:464 msgid "Base DN for automounter map lookups" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:464 +#: src/config/SSSDConfig/__init__.py.in:467 msgid "Comma separated list of allowed users" msgstr "許可的使用者清單,請使用半形逗號作為分隔" -#: src/config/SSSDConfig/__init__.py.in:465 +#: src/config/SSSDConfig/__init__.py.in:468 msgid "Comma separated list of prohibited users" msgstr "被禁止的使用者清單,請使用半形逗號作為分隔" -#: src/config/SSSDConfig/__init__.py.in:468 +#: src/config/SSSDConfig/__init__.py.in:471 msgid "Default shell, /bin/bash" msgstr "預設 shell,/bin/bash" -#: src/config/SSSDConfig/__init__.py.in:469 +#: src/config/SSSDConfig/__init__.py.in:472 msgid "Base for home directories" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:472 +#: src/config/SSSDConfig/__init__.py.in:475 msgid "The number of preforked proxy children." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:475 +#: src/config/SSSDConfig/__init__.py.in:478 msgid "The name of the NSS library to use" msgstr "要使用的 NSS 函式庫名稱" -#: src/config/SSSDConfig/__init__.py.in:476 +#: src/config/SSSDConfig/__init__.py.in:479 msgid "Whether to look up canonical group name from cache if possible" msgstr "" -#: src/config/SSSDConfig/__init__.py.in:479 +#: src/config/SSSDConfig/__init__.py.in:482 msgid "PAM stack to use" msgstr "要使用的 PAM 堆疊" -#: src/config/SSSDConfig/__init__.py.in:482 +#: src/config/SSSDConfig/__init__.py.in:485 msgid "Path of passwd file sources." msgstr "" -#: src/config/SSSDConfig/__init__.py.in:483 +#: src/config/SSSDConfig/__init__.py.in:486 msgid "Path of group file sources." msgstr "" -#: src/monitor/monitor.c:2332 +#: src/monitor/monitor.c:2355 msgid "Become a daemon (default)" msgstr "作為幕後程式 (預設)" -#: src/monitor/monitor.c:2334 +#: src/monitor/monitor.c:2357 msgid "Run interactive (not a daemon)" msgstr "以互動方式執行 (非幕後程式)" -#: src/monitor/monitor.c:2337 +#: src/monitor/monitor.c:2360 msgid "Disable netlink interface" msgstr "" -#: src/monitor/monitor.c:2339 src/tools/sssctl/sssctl_logs.c:311 +#: src/monitor/monitor.c:2362 src/tools/sssctl/sssctl_logs.c:311 msgid "Specify a non-default config file" msgstr "指定非預設的配置檔" -#: src/monitor/monitor.c:2341 +#: src/monitor/monitor.c:2364 msgid "Refresh the configuration database, then exit" msgstr "" -#: src/monitor/monitor.c:2344 +#: src/monitor/monitor.c:2367 msgid "Similar to --genconf, but only refreshes the given section" msgstr "" -#: src/monitor/monitor.c:2347 +#: src/monitor/monitor.c:2370 msgid "Print version number and exit" msgstr "" -#: src/monitor/monitor.c:2491 +#: src/monitor/monitor.c:2514 msgid "SSSD is already running\n" msgstr "" -#: src/providers/krb5/krb5_child.c:3232 src/providers/ldap/ldap_child.c:605 +#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:624 msgid "Debug level" msgstr "除錯層級" -#: src/providers/krb5/krb5_child.c:3234 src/providers/ldap/ldap_child.c:607 +#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:626 msgid "Add debug timestamps" msgstr "加入除錯時間戳記" -#: src/providers/krb5/krb5_child.c:3236 src/providers/ldap/ldap_child.c:609 +#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:628 msgid "Show timestamps with microseconds" msgstr "" -#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:611 +#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:630 msgid "An open file descriptor for the debug logs" msgstr "" -#: src/providers/krb5/krb5_child.c:3241 src/providers/ldap/ldap_child.c:613 +#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:632 msgid "Send the debug output to stderr directly." msgstr "" -#: src/providers/krb5/krb5_child.c:3244 +#: src/providers/krb5/krb5_child.c:3245 msgid "The user to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3246 +#: src/providers/krb5/krb5_child.c:3247 msgid "The group to create FAST ccache as" msgstr "" -#: src/providers/krb5/krb5_child.c:3248 +#: src/providers/krb5/krb5_child.c:3249 msgid "Kerberos realm to use" msgstr "" -#: src/providers/krb5/krb5_child.c:3250 +#: src/providers/krb5/krb5_child.c:3251 msgid "Requested lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3252 +#: src/providers/krb5/krb5_child.c:3253 msgid "Requested renewable lifetime of the ticket" msgstr "" -#: src/providers/krb5/krb5_child.c:3254 +#: src/providers/krb5/krb5_child.c:3255 msgid "FAST options ('never', 'try', 'demand')" msgstr "" -#: src/providers/krb5/krb5_child.c:3257 +#: src/providers/krb5/krb5_child.c:3258 msgid "Specifies the server principal to use for FAST" msgstr "" -#: src/providers/krb5/krb5_child.c:3259 +#: src/providers/krb5/krb5_child.c:3260 msgid "Requests canonicalization of the principal name" msgstr "" -#: src/providers/krb5/krb5_child.c:3261 +#: src/providers/krb5/krb5_child.c:3262 msgid "Use custom version of krb5_get_init_creds_password" msgstr "" @@ -1577,146 +1591,146 @@ msgstr "" msgid "Domain of the information provider (mandatory)" msgstr "" -#: src/sss_client/common.c:1084 +#: src/sss_client/common.c:1079 msgid "Privileged socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1087 +#: src/sss_client/common.c:1082 msgid "Public socket has wrong ownership or permissions." msgstr "" -#: src/sss_client/common.c:1090 +#: src/sss_client/common.c:1085 msgid "Unexpected format of the server credential message." msgstr "" -#: src/sss_client/common.c:1093 +#: src/sss_client/common.c:1088 msgid "SSSD is not run by root." msgstr "" -#: src/sss_client/common.c:1096 +#: src/sss_client/common.c:1091 msgid "SSSD socket does not exist." msgstr "" -#: src/sss_client/common.c:1099 +#: src/sss_client/common.c:1094 msgid "Cannot get stat of SSSD socket." msgstr "" -#: src/sss_client/common.c:1104 +#: src/sss_client/common.c:1099 msgid "An error occurred, but no description can be found." msgstr "" -#: src/sss_client/common.c:1110 +#: src/sss_client/common.c:1105 msgid "Unexpected error while looking for an error description" msgstr "" -#: src/sss_client/pam_sss.c:67 +#: src/sss_client/pam_sss.c:68 msgid "Permission denied. " msgstr "" -#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:778 -#: src/sss_client/pam_sss.c:789 +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 +#: src/sss_client/pam_sss.c:790 msgid "Server message: " msgstr "伺服器訊息:" -#: src/sss_client/pam_sss.c:296 +#: src/sss_client/pam_sss.c:297 msgid "Passwords do not match" msgstr "密碼不相符" -#: src/sss_client/pam_sss.c:484 +#: src/sss_client/pam_sss.c:485 msgid "Password reset by root is not supported." msgstr "" -#: src/sss_client/pam_sss.c:525 +#: src/sss_client/pam_sss.c:526 msgid "Authenticated with cached credentials" msgstr "" -#: src/sss_client/pam_sss.c:526 +#: src/sss_client/pam_sss.c:527 msgid ", your cached password will expire at: " msgstr ",您快取的密碼將在此刻過期:" -#: src/sss_client/pam_sss.c:556 +#: src/sss_client/pam_sss.c:557 #, c-format msgid "Your password has expired. You have %1$d grace login(s) remaining." msgstr "" -#: src/sss_client/pam_sss.c:602 +#: src/sss_client/pam_sss.c:603 #, c-format msgid "Your password will expire in %1$d %2$s." msgstr "" -#: src/sss_client/pam_sss.c:651 +#: src/sss_client/pam_sss.c:652 msgid "Authentication is denied until: " msgstr "" -#: src/sss_client/pam_sss.c:672 +#: src/sss_client/pam_sss.c:673 msgid "System is offline, password change not possible" msgstr "系統已離線,不可能作密碼變更" -#: src/sss_client/pam_sss.c:687 +#: src/sss_client/pam_sss.c:688 msgid "" "After changing the OTP password, you need to log out and back in order to " "acquire a ticket" msgstr "" -#: src/sss_client/pam_sss.c:775 src/sss_client/pam_sss.c:788 +#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 msgid "Password change failed. " msgstr "密碼變更失敗。" -#: src/sss_client/pam_sss.c:1989 +#: src/sss_client/pam_sss.c:2008 msgid "New Password: " msgstr "新密碼:" -#: src/sss_client/pam_sss.c:1990 +#: src/sss_client/pam_sss.c:2009 msgid "Reenter new Password: " msgstr "再次輸入新密碼:" -#: src/sss_client/pam_sss.c:2152 src/sss_client/pam_sss.c:2155 +#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 msgid "First Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2153 src/sss_client/pam_sss.c:2324 +#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 msgid "Second Factor (optional): " msgstr "" -#: src/sss_client/pam_sss.c:2156 src/sss_client/pam_sss.c:2327 +#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 msgid "Second Factor: " msgstr "" -#: src/sss_client/pam_sss.c:2171 +#: src/sss_client/pam_sss.c:2190 msgid "Password: " msgstr "密碼:" -#: src/sss_client/pam_sss.c:2323 src/sss_client/pam_sss.c:2326 +#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 msgid "First Factor (Current Password): " msgstr "" -#: src/sss_client/pam_sss.c:2330 +#: src/sss_client/pam_sss.c:2349 msgid "Current Password: " msgstr "目前的密碼:" -#: src/sss_client/pam_sss.c:2685 +#: src/sss_client/pam_sss.c:2704 msgid "Password expired. Change your password now." msgstr "密碼已過期。請立刻變更您的密碼。" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 -#: src/tools/sss_cache.c:704 +#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:719 msgid "The debug level to run with" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 msgid "The SSSD domain to use" msgstr "" #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 -#: src/tools/sss_cache.c:750 +#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:765 msgid "Error setting the locale\n" msgstr "設定區域設置時發生錯誤\n" @@ -1732,27 +1746,27 @@ msgstr "" msgid "Error looking up public keys\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 msgid "The port to use to connect to the host" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 msgid "Print the host ssh public keys" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 msgid "Invalid port\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 msgid "Host not specified\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 msgid "The path to the proxy command must be absolute\n" msgstr "" -#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:342 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 #, c-format msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" msgstr "" @@ -1804,21 +1818,21 @@ msgstr "指定要加入的使用者\n" #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 #: src/tools/sss_usermod.c:162 msgid "Error initializing the tools - no local domain\n" msgstr "初始化工具時發生錯誤 - 沒有本機網域\n" #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 #: src/tools/sss_usermod.c:164 msgid "Error initializing the tools\n" msgstr "初始化工具時發生錯誤\n" #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 #: src/tools/sss_usermod.c:173 msgid "Invalid domain specified in FQDN\n" msgstr "在 FQDN 內指定了無效的網域\n" @@ -1839,7 +1853,7 @@ msgstr "群組必須位於與使用者相同的網域內\n" msgid "Cannot find group %1$s in local domain\n" msgstr "" -#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 msgid "Cannot set default values\n" msgstr "無法設定預設值\n" @@ -1916,7 +1930,7 @@ msgstr "" #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 #, c-format msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" @@ -1978,15 +1992,15 @@ msgstr "無法修改群組 - 請檢查群組名稱是否正確\n" msgid "Transaction error. Could not modify group.\n" msgstr "處理事項發生錯誤。無法修改群組。\n" +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "魔法隱私" + #: src/tools/sss_groupshow.c:615 #, c-format msgid "%1$s%2$sGroup: %3$s\n" msgstr "" -#: src/tools/sss_groupshow.c:616 -msgid "Magic Private " -msgstr "魔法隱私" - #: src/tools/sss_groupshow.c:618 #, c-format msgid "%1$sGID number: %2$d\n" @@ -2029,68 +2043,68 @@ msgstr "本機網域內沒有這樣的群組。只許可在本機網域內列出 msgid "Internal error. Could not print group.\n" msgstr "內部錯誤。無法列出群組。\n" -#: src/tools/sss_userdel.c:136 +#: src/tools/sss_userdel.c:138 msgid "Remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:138 +#: src/tools/sss_userdel.c:140 msgid "Do not remove home directory and mail spool" msgstr "" -#: src/tools/sss_userdel.c:140 +#: src/tools/sss_userdel.c:142 msgid "Force removal of files not owned by the user" msgstr "強制檔案的移除並非由使用者所擁有" -#: src/tools/sss_userdel.c:142 +#: src/tools/sss_userdel.c:144 msgid "Kill users' processes before removing him" msgstr "" -#: src/tools/sss_userdel.c:188 +#: src/tools/sss_userdel.c:190 msgid "Specify user to delete\n" msgstr "指定要刪除的使用者\n" -#: src/tools/sss_userdel.c:234 +#: src/tools/sss_userdel.c:236 #, c-format msgid "User %1$s is outside the defined ID range for domain\n" msgstr "" -#: src/tools/sss_userdel.c:259 +#: src/tools/sss_userdel.c:261 msgid "Cannot reset SELinux login context\n" msgstr "" -#: src/tools/sss_userdel.c:271 +#: src/tools/sss_userdel.c:273 #, c-format msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" msgstr "" -#: src/tools/sss_userdel.c:276 +#: src/tools/sss_userdel.c:278 msgid "Cannot determine if the user was logged in on this platform" msgstr "" -#: src/tools/sss_userdel.c:281 +#: src/tools/sss_userdel.c:283 msgid "Error while checking if the user was logged in\n" msgstr "" -#: src/tools/sss_userdel.c:288 +#: src/tools/sss_userdel.c:290 #, c-format msgid "The post-delete command failed: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:308 +#: src/tools/sss_userdel.c:310 msgid "Not removing home dir - not owned by user\n" msgstr "不會移除家目錄 - 並非由使用者所擁有\n" -#: src/tools/sss_userdel.c:310 +#: src/tools/sss_userdel.c:312 #, c-format msgid "Cannot remove homedir: %1$s\n" msgstr "" -#: src/tools/sss_userdel.c:324 +#: src/tools/sss_userdel.c:326 msgid "" "No such user in local domain. Removing users only allowed in local domain.\n" msgstr "在本機網域內沒有這樣的使用者。只許可在本機網域內移除使用者。\n" -#: src/tools/sss_userdel.c:329 +#: src/tools/sss_userdel.c:331 msgid "Internal error. Could not remove user.\n" msgstr "內部錯誤。無法移除使用者。\n" @@ -2169,88 +2183,88 @@ msgstr "" msgid "Couldn't invalidate %1$s %2$s\n" msgstr "" -#: src/tools/sss_cache.c:706 +#: src/tools/sss_cache.c:721 msgid "Invalidate all cached entries" msgstr "" -#: src/tools/sss_cache.c:708 +#: src/tools/sss_cache.c:723 msgid "Invalidate particular user" msgstr "" -#: src/tools/sss_cache.c:710 +#: src/tools/sss_cache.c:725 msgid "Invalidate all users" msgstr "" -#: src/tools/sss_cache.c:712 +#: src/tools/sss_cache.c:727 msgid "Invalidate particular group" msgstr "" -#: src/tools/sss_cache.c:714 +#: src/tools/sss_cache.c:729 msgid "Invalidate all groups" msgstr "" -#: src/tools/sss_cache.c:716 +#: src/tools/sss_cache.c:731 msgid "Invalidate particular netgroup" msgstr "" -#: src/tools/sss_cache.c:718 +#: src/tools/sss_cache.c:733 msgid "Invalidate all netgroups" msgstr "" -#: src/tools/sss_cache.c:720 +#: src/tools/sss_cache.c:735 msgid "Invalidate particular service" msgstr "" -#: src/tools/sss_cache.c:722 +#: src/tools/sss_cache.c:737 msgid "Invalidate all services" msgstr "" -#: src/tools/sss_cache.c:725 +#: src/tools/sss_cache.c:740 msgid "Invalidate particular autofs map" msgstr "" -#: src/tools/sss_cache.c:727 +#: src/tools/sss_cache.c:742 msgid "Invalidate all autofs maps" msgstr "" -#: src/tools/sss_cache.c:731 +#: src/tools/sss_cache.c:746 msgid "Invalidate particular SSH host" msgstr "" -#: src/tools/sss_cache.c:733 +#: src/tools/sss_cache.c:748 msgid "Invalidate all SSH hosts" msgstr "" -#: src/tools/sss_cache.c:737 +#: src/tools/sss_cache.c:752 msgid "Invalidate particular sudo rule" msgstr "" -#: src/tools/sss_cache.c:739 +#: src/tools/sss_cache.c:754 msgid "Invalidate all cached sudo rules" msgstr "" -#: src/tools/sss_cache.c:742 +#: src/tools/sss_cache.c:757 msgid "Only invalidate entries from a particular domain" msgstr "" -#: src/tools/sss_cache.c:796 +#: src/tools/sss_cache.c:811 msgid "" "Unexpected argument(s) provided, options that invalidate a single object " "only accept a single provided argument.\n" msgstr "" -#: src/tools/sss_cache.c:806 +#: src/tools/sss_cache.c:821 msgid "Please select at least one object to invalidate\n" msgstr "" -#: src/tools/sss_cache.c:889 +#: src/tools/sss_cache.c:904 #, c-format msgid "" "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " "use fully qualified name instead of --domain/-d parameter.\n" msgstr "" -#: src/tools/sss_cache.c:894 +#: src/tools/sss_cache.c:909 msgid "Could not open available domains\n" msgstr "" @@ -2285,7 +2299,6 @@ msgid "Invalid result." msgstr "" #: src/tools/sssctl/sssctl.c:78 -#, c-format msgid "Unable to read user input\n" msgstr "" @@ -2295,7 +2308,6 @@ msgid "Invalid input, please provide either '%s' or '%s'.\n" msgstr "" #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -#, c-format msgid "Error while executing external command\n" msgstr "" @@ -2371,32 +2383,53 @@ msgstr "" msgid "Search by group ID" msgstr "" -#: src/tools/sssctl/sssctl_config.c:67 +#: src/tools/sssctl/sssctl_config.c:70 #, c-format -msgid "" -"File %1$s does not exist. SSSD will use default configuration with files " -"provider.\n" +msgid "Failed to open %s\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:81 +#: src/tools/sssctl/sssctl_config.c:75 #, c-format +msgid "File %1$s does not exist.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:79 msgid "" "File ownership and permissions check failed. Expected root:root and 0600.\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:104 +#: src/tools/sssctl/sssctl_config.c:85 +#, c-format +msgid "Failed to load configuration configuration from %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:91 +msgid "Error while reading configuration directory.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:99 +msgid "" +"There is no configuration. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:111 +msgid "Failed to run validators" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:115 #, c-format msgid "Issues identified by validators: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:114 +#: src/tools/sssctl/sssctl_config.c:126 #, c-format msgid "Messages generated during configuration merging: %zu\n" msgstr "" -#: src/tools/sssctl/sssctl_config.c:127 +#: src/tools/sssctl/sssctl_config.c:137 #, c-format -msgid "Used configuration snippet files: %u\n" +msgid "Used configuration snippet files: %zu\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:89 @@ -2409,12 +2442,10 @@ msgid "SSSD backup of local data already exists, override?" msgstr "" #: src/tools/sssctl/sssctl_data.c:111 -#, c-format msgid "Unable to export user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:118 -#, c-format msgid "Unable to export group overrides\n" msgstr "" @@ -2423,17 +2454,15 @@ msgid "Override existing backup" msgstr "" #: src/tools/sssctl/sssctl_data.c:164 -#, c-format msgid "Unable to import user overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:173 -#, c-format msgid "Unable to import group overrides\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -#: src/tools/sssctl/sssctl_domains.c:315 +#: src/tools/sssctl/sssctl_domains.c:328 msgid "Start SSSD if it is not running" msgstr "" @@ -2454,27 +2483,22 @@ msgid "Start SSSD when the cache is removed" msgstr "" #: src/tools/sssctl/sssctl_data.c:235 -#, c-format msgid "Creating backup of local data...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:238 -#, c-format msgid "Unable to create backup of local data, can not remove the cache.\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:243 -#, c-format msgid "Removing cache files...\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:246 -#, c-format msgid "Unable to remove cache files\n" msgstr "" #: src/tools/sssctl/sssctl_data.c:251 -#, c-format msgid "Restoring local data...\n" msgstr "" @@ -2482,17 +2506,11 @@ msgstr "" msgid "Show domain list including primary or trusted domain type" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354 +#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 #: src/tools/sssctl/sssctl_user_checks.c:95 -#, c-format msgid "Unable to connect to system bus!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:167 -#, c-format -msgid "Online status: %s\n" -msgstr "" - #: src/tools/sssctl/sssctl_domains.c:167 msgid "Online" msgstr "" @@ -2501,52 +2519,61 @@ msgstr "" msgid "Offline" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:212 +#: src/tools/sssctl/sssctl_domains.c:167 #, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:213 +msgid "This domain has no active servers.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:218 msgid "Active servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:223 +#: src/tools/sssctl/sssctl_domains.c:230 msgid "not connected" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:260 +#: src/tools/sssctl/sssctl_domains.c:267 +msgid "No servers discovered.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:273 #, c-format msgid "Discovered %s servers:\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:272 +#: src/tools/sssctl/sssctl_domains.c:285 msgid "None so far.\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:312 +#: src/tools/sssctl/sssctl_domains.c:325 msgid "Show online status" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:313 +#: src/tools/sssctl/sssctl_domains.c:326 msgid "Show information about active server" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:314 +#: src/tools/sssctl/sssctl_domains.c:327 msgid "Show list of discovered servers" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:320 +#: src/tools/sssctl/sssctl_domains.c:333 msgid "Specify domain name." msgstr "" -#: src/tools/sssctl/sssctl_domains.c:342 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:355 msgid "Out of memory!\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 msgid "Unable to get online status\n" msgstr "" -#: src/tools/sssctl/sssctl_domains.c:382 -#, c-format +#: src/tools/sssctl/sssctl_domains.c:395 msgid "Unable to get server list\n" msgstr "" @@ -2559,27 +2586,22 @@ msgid "Delete log files instead of truncating" msgstr "" #: src/tools/sssctl/sssctl_logs.c:248 -#, c-format msgid "Deleting log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:251 -#, c-format msgid "Unable to remove log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:257 -#, c-format msgid "Truncating log files...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:260 -#, c-format msgid "Unable to truncate log files\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:286 -#, c-format msgid "Out of memory!" msgstr "" @@ -2589,7 +2611,6 @@ msgid "Archiving log files into %s...\n" msgstr "" #: src/tools/sssctl/sssctl_logs.c:292 -#, c-format msgid "Unable to archive log files\n" msgstr "" @@ -2598,7 +2619,6 @@ msgid "Specify debug level you want to set" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:117 -#, c-format msgid "SSSD InfoPipe user lookup result:\n" msgstr "" @@ -2613,7 +2633,6 @@ msgid "dlsym failed with [%s].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:182 -#, c-format msgid "malloc failed.\n" msgstr "" @@ -2623,7 +2642,6 @@ msgid "sss_getpwnam_r failed with [%d].\n" msgstr "" #: src/tools/sssctl/sssctl_user_checks.c:194 -#, c-format msgid "SSSD nss user lookup result:\n" msgstr "" @@ -2680,122 +2698,113 @@ msgid "" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:253 +#: src/tools/sssctl/sssctl_user_checks.c:252 #, c-format msgid "User name lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:258 +#: src/tools/sssctl/sssctl_user_checks.c:257 #, c-format msgid "InfoPipe User lookup with [%s] failed.\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:265 +#: src/tools/sssctl/sssctl_user_checks.c:263 #, c-format msgid "pam_start failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:270 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:268 msgid "" "testing pam_authenticate\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:274 +#: src/tools/sssctl/sssctl_user_checks.c:272 #, c-format msgid "pam_get_item failed: %s\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:278 +#: src/tools/sssctl/sssctl_user_checks.c:275 #, c-format msgid "" "pam_authenticate for user [%s]: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:281 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:278 msgid "" "testing pam_chauthtok\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:283 +#: src/tools/sssctl/sssctl_user_checks.c:280 #, c-format msgid "" "pam_chauthtok: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:285 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:282 msgid "" "testing pam_acct_mgmt\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:287 +#: src/tools/sssctl/sssctl_user_checks.c:284 #, c-format msgid "" "pam_acct_mgmt: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:289 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:286 msgid "" "testing pam_setcred\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:291 +#: src/tools/sssctl/sssctl_user_checks.c:288 #, c-format msgid "" "pam_setcred: [%s]\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:293 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:290 msgid "" "testing pam_open_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:295 +#: src/tools/sssctl/sssctl_user_checks.c:292 #, c-format msgid "" "pam_open_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:297 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:294 msgid "" "testing pam_close_session\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:299 +#: src/tools/sssctl/sssctl_user_checks.c:296 #, c-format msgid "" "pam_close_session: %s\n" "\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:302 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:298 msgid "unknown action\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:305 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:301 msgid "PAM Environment:\n" msgstr "" -#: src/tools/sssctl/sssctl_user_checks.c:313 -#, c-format +#: src/tools/sssctl/sssctl_user_checks.c:309 msgid " - no env -\n" msgstr "" diff --git a/src/man/po/br.po b/src/man/po/br.po index 9c54e22d8f6..e6f1d4dc71f 100644 --- a/src/man/po/br.po +++ b/src/man/po/br.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-14 11:51+0000\n" "Last-Translator: Copied by Zanata \n" "Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/" @@ -31,7 +31,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Dornlevr SSSD" @@ -77,7 +77,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "DESKRIVADUR" @@ -138,7 +138,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -147,7 +147,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -298,12 +298,12 @@ msgid "" msgstr "" #. type: Content of: -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Dre ziouer : true" @@ -320,19 +320,23 @@ msgid "" msgstr "" #. type: Content of: -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "" msgstr "" @@ -355,8 +359,8 @@ msgid "" msgstr "" #. type: Content of: -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -371,7 +375,7 @@ msgid "The [sssd] section" msgstr "Ar rann [sssd]" #. type: Content of: -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Arventennoù ar rann" @@ -419,19 +423,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Dre ziouer : 3" @@ -451,7 +455,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (neudennad)" @@ -471,12 +475,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (neudennad)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -484,39 +488,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -531,20 +535,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -552,52 +567,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -610,17 +625,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -630,7 +645,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -643,23 +658,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -669,7 +684,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -678,22 +693,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -701,69 +716,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Dre zoiuer : 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -771,19 +805,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -791,24 +825,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -817,7 +851,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -825,8 +859,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -834,68 +882,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -906,7 +954,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -923,7 +971,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -940,12 +988,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "RANNOÙ SERVIJOÙ" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -954,22 +1002,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -979,17 +1027,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -999,18 +1047,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1018,24 +1066,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1043,12 +1091,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1060,58 +1108,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Dre ziouer : 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1119,7 +1167,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1129,7 +1177,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1138,17 +1186,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1156,17 +1204,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Dre ziouer : 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1174,17 +1222,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (neudennad)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1193,7 +1241,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1202,41 +1250,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Dre zoiuer : root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1244,23 +1292,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1268,47 +1316,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1316,112 +1364,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1432,96 +1480,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1529,59 +1577,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Dre zoiuer : 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1590,61 +1638,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1652,7 +1700,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1661,17 +1709,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1679,31 +1727,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Dre ziouer : 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1713,75 +1761,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1789,19 +1837,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1809,12 +1857,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1822,77 +1870,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1900,7 +1948,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1912,63 +1960,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1976,12 +2024,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1992,7 +2040,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2000,7 +2048,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2008,7 +2056,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2017,12 +2065,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2033,24 +2081,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2060,22 +2108,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2083,51 +2131,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2136,24 +2184,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2164,7 +2239,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2175,24 +2250,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2200,12 +2275,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2214,24 +2289,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2241,66 +2316,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2308,17 +2383,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2326,7 +2401,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2334,22 +2409,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "RANNOÙ DOMANI" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2358,14 +2433,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2374,38 +2449,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2414,24 +2489,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2440,29 +2515,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2476,14 +2551,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2492,39 +2567,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2533,19 +2608,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2556,115 +2631,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2673,42 +2748,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2716,24 +2791,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2742,17 +2817,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2761,34 +2836,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2796,7 +2871,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2804,8 +2879,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2814,8 +2889,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2823,19 +2898,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2844,7 +2919,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2852,22 +2927,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2879,7 +2954,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2887,19 +2962,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2907,7 +2982,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2915,35 +2990,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2951,19 +3026,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2972,7 +3047,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2980,29 +3055,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3010,7 +3085,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3018,35 +3093,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3054,32 +3129,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3090,7 +3165,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3099,12 +3174,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3112,7 +3187,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3120,31 +3195,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3152,7 +3227,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3161,17 +3236,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3179,43 +3254,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3223,7 +3298,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3231,7 +3306,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3239,24 +3314,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3264,12 +3339,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3279,7 +3354,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3288,29 +3363,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3318,7 +3393,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3328,59 +3403,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3389,77 +3464,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3467,7 +3542,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3476,17 +3551,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3494,34 +3569,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3529,32 +3604,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3564,34 +3639,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3600,19 +3675,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3620,24 +3695,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3646,24 +3721,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3673,14 +3748,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3688,21 +3763,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3710,7 +3785,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3719,7 +3794,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3728,7 +3803,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3736,29 +3811,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3766,12 +3841,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3780,12 +3855,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3793,19 +3868,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3822,7 +3897,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3830,17 +3905,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3849,7 +3924,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3859,7 +3934,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3879,12 +3954,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3892,73 +3967,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3966,17 +4041,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3985,17 +4060,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4003,17 +4078,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4021,17 +4096,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4042,69 +4117,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4117,7 +4192,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4125,7 +4200,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4134,55 +4209,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4191,17 +4266,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4209,26 +4284,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4237,17 +4312,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4257,7 +4332,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4266,59 +4341,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4326,14 +4401,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4341,7 +4416,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4349,12 +4424,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4384,7 +4459,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4393,7 +4468,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4401,7 +4476,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4412,7 +4487,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4426,7 +4501,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4482,12 +4557,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4497,33 +4572,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4532,71 +4607,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4605,7 +4680,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4616,12 +4691,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4629,32 +4704,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4665,37 +4740,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4704,10729 +4779,10971 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1559 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1577 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 -msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 -msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 -msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 -msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 -msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 -msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:495 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:515 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:531 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:549 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 -msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 -msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:638 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:663 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:697 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:715 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:721 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 -msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:778 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:790 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:808 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 -msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 -msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd.8.xml:259 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sss_obfuscate.8.xml:32 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sss_obfuscate.8.xml:37 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sss_obfuscate.8.xml:49 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sss_override.8.xml:52 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"ldap_id_mapping = False\n" -" " +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 -msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 -msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 -msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 -msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 -msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 -msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#: sssd-krb5.5.xml:77 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#: sssd-krb5.5.xml:106 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#: sssd-krb5.5.xml:116 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:208 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:216 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:225 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#: sssd-krb5.5.xml:243 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#: sssd-krb5.5.xml:257 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:275 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:288 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:309 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:344 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:364 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:379 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +msgid "" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 -msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#: sssd-krb5.5.xml:65 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sssd-krb5.5.xml:606 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_userdel.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_userdel.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#: sss_userdel.8.xml:72 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_usermod.8.xml:96 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_usermod.8.xml:152 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_cache.8.xml:31 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_cache.8.xml:68 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#: sss_cache.8.xml:75 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 -msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:119 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:134 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:141 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:178 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:201 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:209 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sss_seed.8.xml:68 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_seed.8.xml:153 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sssd-ifp.5.xml:36 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:53 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sssd-ifp.5.xml:63 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sssd-ifp.5.xml:81 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sssd-ifp.5.xml:117 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:139 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:39 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "GWELET IVEZ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 -msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 -msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 -msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 -msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#: sssd-secrets.5.xml:75 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:61 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:91 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 -msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 -msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:207 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 -msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:260 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 -msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:347 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 -msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 -msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 -msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 64" +msgstr "Dre ziouer : 3" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" -msgstr "" +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 65536" +msgstr "Dre ziouer : 3" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 -msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 -#, no-wrap -msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "GWELET IVEZ" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "" - -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 -msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap -msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 #, no-wrap msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 -msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 +#: sssd-systemtap.5.xml:412 msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap +#: sssd-ldap-attributes.5.xml:23 msgid "" -"passwd: sss files\n" -"group: sss files\n" +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 -msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 -msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 64" -msgstr "Dre ziouer : 3" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 65536" -msgstr "Dre ziouer : 3" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "RANNOÙ SERVIJOÙ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/ca.po b/src/man/po/ca.po index 531ba5bad01..adf6edf1967 100644 --- a/src/man/po/ca.po +++ b/src/man/po/ca.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2015-10-18 04:13+0000\n" "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n" "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/" @@ -37,7 +37,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Pàgines del manual de l'SSSD" @@ -82,7 +82,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "DESCRIPCIÓ" @@ -152,7 +152,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -161,7 +161,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Formats i convencions dels fitxers" @@ -332,12 +332,12 @@ msgstr "" "opció." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Per defecte: true" @@ -357,19 +357,23 @@ msgstr "" "aleshores s'ignora aquesta opció." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Per defecte: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -392,8 +396,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Per defecte: 10" @@ -408,7 +412,7 @@ msgid "The [sssd] section" msgstr "La secció [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Paràmetres de la secció" @@ -462,12 +466,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -477,7 +481,7 @@ msgstr "" "vençuts" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Per defecte: 3" @@ -497,7 +501,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (cadena)" @@ -519,12 +523,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -535,40 +539,40 @@ msgstr "" "compondre un FQN des dels components del nom d'usuari i del nom del domini." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "nom d'usuari" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" "el nom del domini tal com s'especifica al fitxer de configuració de l'SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -588,16 +592,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (booleà)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "L'SSSD monitora l'estat del resolv.conf per identificar quan cal actualitzar " "el seu traductor intern de DNS. Per defecte, s'intentarà utilitzar inotify " @@ -605,7 +628,7 @@ msgstr "" "pot utilitzar l'inotify." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -616,7 +639,7 @@ msgstr "" "d'establir aquesta opció a «false»" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -625,7 +648,7 @@ msgstr "" "altres plataformes." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -634,12 +657,12 @@ msgstr "" "disponible. En aquestes plataformes, sempre s'utilitzarà el sondeig." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -648,7 +671,7 @@ msgstr "" "cau de repetició del Kerberos." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -658,7 +681,7 @@ msgstr "" "auxiliar de reproducció." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -667,12 +690,12 @@ msgstr "" "construcció. (__LIBKRB5_DEFAULTS__ si no està configurat)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "user (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -685,17 +708,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "Per defecte: sense establir, els processos s'executaran com a root" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -711,7 +734,7 @@ msgstr "" "nom d'usuari sense donar també un nom de domini." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 #, fuzzy #| msgid "" #| "Please note that if this option is set all users from the primary domain " @@ -736,23 +759,23 @@ msgstr "" "d'aquesta opció juntament amb use_fully_qualified_names establert a False." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Per defecte: sense establir" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "override_space (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -762,7 +785,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -771,22 +794,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "Per defecte: sense establir (no se substituiran els espais)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -794,69 +817,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Per defecte: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -864,19 +906,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -884,24 +926,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -910,7 +952,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -918,8 +960,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -927,68 +983,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -999,7 +1055,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -1016,7 +1072,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "Per defecte: Sense establir" @@ -1039,12 +1095,12 @@ msgstr "" "type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "SECCIONS DELS SERVEIS" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1057,22 +1113,22 @@ msgstr "" "quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Opcions de configuració del servei general" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Es poden utilitzar aquestes opcions per configurar qualsevol servei." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1082,17 +1138,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1102,18 +1158,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Per defecte: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1121,24 +1177,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "offline_timeout + random_offset" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "new_interval = old_interval*2 + random_offset" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1146,12 +1202,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1163,30 +1219,30 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Per defecte: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "Opcions de configuració de l'NSS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1194,12 +1250,12 @@ msgstr "" "Service Switch)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1208,17 +1264,17 @@ msgstr "" "(peticions d'informació sobre tots els usuaris)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Per defecte: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1229,7 +1285,7 @@ msgstr "" "valor entry_cache_timeout per al domini." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1245,7 +1301,7 @@ msgstr "" "peticions que esperen per a una actualització de la memòria cau." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1258,17 +1314,17 @@ msgstr "" "(0 desactiva aquesta característica)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Per defecte: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1280,17 +1336,17 @@ msgstr "" "altra vegada." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Per defecte: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1298,17 +1354,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1317,7 +1373,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1326,17 +1382,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Per defecte: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (booleà)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1344,12 +1400,12 @@ msgstr "" "aquesta opció a false." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1358,7 +1414,7 @@ msgstr "" "si no se n'especifica cap explícitament amb el proveïdor de dades del domini." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1366,7 +1422,7 @@ msgstr "" "override_homedir." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1376,25 +1432,25 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "exemple: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" "Per defecte: sense establir (cap substitució per als directoris inicials no " "establerts)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1405,18 +1461,18 @@ msgstr "" "pot configurar ja sigui en la secció [nss] o per cada domini." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" "Per defecte: sense establir (SSSD utilitzarà el valor recuperat del LDAP)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" @@ -1424,31 +1480,31 @@ msgstr "" "d'avaluació és:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "1. Si el shell està present al <quote>/etc/shells</quote>, s'utilitza." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1456,112 +1512,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Per defecte: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "user_attributes (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1572,48 +1628,48 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "Opcions de configuració del PAM" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1622,12 +1678,12 @@ msgstr "" "(Pluggable Authentication Module)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1637,17 +1693,17 @@ msgstr "" "de sessió)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Per defecte: 0 (sense límit)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1656,12 +1712,12 @@ msgstr "" "fallits es permet." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1671,7 +1727,7 @@ msgstr "" "possible." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1679,17 +1735,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Per defecte: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1698,43 +1754,43 @@ msgstr "" "l'autenticació. Com més gran sigui el nombre més missatges es mostren." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "L'sssd actualment admet els següents valors:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis>: no mostris cap missatge" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis>: Mostra només missatges importants" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis>: Mostra missatges informatius" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" "<emphasis>3</emphasis>: Mostra tots els missatges i informació de depuració" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Per defecte: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1743,61 +1799,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1809,7 +1865,7 @@ msgstr "" "l'última informació." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1823,17 +1879,17 @@ msgstr "" "excessives al proveïdor d'identitat." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1841,31 +1897,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Per defecte: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "pam_trusted_users (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1875,75 +1931,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "pam_public_domains (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Per defecte: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "pam_account_expired_message (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1951,19 +2007,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1971,12 +2027,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1984,77 +2040,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "Per defecte: False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2062,7 +2118,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2074,63 +2130,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "login" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "su" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "su-l" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "gdm-smartcard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "gdm-password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "kdm" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "sudo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2138,12 +2194,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2154,7 +2210,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2162,7 +2218,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2170,7 +2226,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2179,12 +2235,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "Opcions de configuració de SUDO" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2202,24 +2258,24 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (booleà)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2229,23 +2285,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" "Es poden utilitzar aquestes opcions per configurar el servei de l'autofs." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2253,51 +2309,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "Es poden utilitzar aquestes opcions per configurar el servei de l'SSH." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (booleà)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "Per defecte: 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2306,24 +2362,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "ldap_user_certificate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set (spaces will not be replaced)" +msgid "Default: not set, all found rules are used" +msgstr "Per defecte: sense establir (no se substituiran els espais)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "Opcions de configuració del contestador del PAC." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2334,7 +2421,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2345,25 +2432,25 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" "Es poden utilitzar aquestes opcions per configurar el contestador del PAC." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2371,12 +2458,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2385,24 +2472,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2412,66 +2499,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2479,17 +2566,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2497,7 +2584,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2505,22 +2592,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "SECCIONS DE DOMINI" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2529,14 +2616,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2545,31 +2632,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id, max_id (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2578,7 +2665,7 @@ msgstr "" "fora d'aquests límits, s'ignora." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2591,24 +2678,24 @@ msgstr "" "com s'esperava." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Per defecte: 1 per a min_id, 0 (sense límit) per a max_id" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2617,29 +2704,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = Els usuaris i grups s'enumeren" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = Cap enumeració per a aquest domini" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Per defecte: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2653,7 +2740,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -2663,7 +2750,7 @@ msgstr "" "finalitzi." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2677,39 +2764,39 @@ msgstr "" "ús." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "subdomain_enumerate (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "all" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "none" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2718,12 +2805,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -2732,7 +2819,7 @@ msgstr "" "demanar al rerefons una altra vegada" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2743,115 +2830,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Per defecte: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "Per defecte: entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "entry_cache_ssh_host_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2860,44 +2947,44 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "Per defecte: 0 (inhabilitat)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" "Determina si les credencials d'usuari també són emmagatzemades en la memòria " "cau local de LDB" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2905,24 +2992,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "Per defecte: 8" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2935,17 +3022,17 @@ msgstr "" "ha de ser superior o igual que offline_credentials_expiration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Per defecte: 0 (sense límit)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2954,34 +3041,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "Per defecte: 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2989,7 +3076,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2997,8 +3084,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3007,8 +3094,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3016,19 +3103,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3041,7 +3128,7 @@ msgstr "" "l'usuari mentre que <command>getent passwd test@LOCAL</command> sí." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3049,22 +3136,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3076,7 +3163,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3084,12 +3171,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3098,7 +3185,7 @@ msgstr "" "d'autenticació suportats són:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3109,7 +3196,7 @@ msgstr "" "manvolnum></citerefentry> per a més informació sobre configuració d'LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3120,7 +3207,7 @@ msgstr "" "manvolnum></citerefentry> per a més informació sobre configurar Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" @@ -3128,17 +3215,17 @@ msgstr "" "de PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "<quote>none</quote> impossibilita l'autenticació explícitament." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3147,12 +3234,12 @@ msgstr "" "gestionar les sol·licituds d'autenticació." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3163,19 +3250,19 @@ msgstr "" "instal·lats) Els proveïdors especials interns són:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "<quote>deny</quote> sempre denega l'accés." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3188,7 +3275,7 @@ msgstr "" "configuració del mòdul d'accés simple." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3196,22 +3283,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Per defecte: <quote>permit</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3220,7 +3307,7 @@ msgstr "" "al domini. Els proveïdors de canvi de contrasenya compatibles són:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3228,7 +3315,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3239,7 +3326,7 @@ msgstr "" "manvolnum></citerefentry> per a més informació sobre configurar Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" @@ -3247,12 +3334,12 @@ msgstr "" "objectiu PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "<quote>none</quote> rebutja els canvis de contrasenya explícitament." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3261,17 +3348,17 @@ msgstr "" "gestionar peticions de canvi de contrasenya." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3279,32 +3366,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3315,7 +3402,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3324,12 +3411,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3337,7 +3424,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3345,31 +3432,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3377,7 +3464,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3386,17 +3473,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3404,43 +3491,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3448,7 +3535,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3456,7 +3543,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3464,24 +3551,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3489,12 +3576,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3504,7 +3591,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3513,29 +3600,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3546,7 +3633,7 @@ msgstr "" "quote> , el domini és tot el que hi ha després\"" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3556,17 +3643,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Per defecte: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -3575,42 +3662,42 @@ msgstr "" "realitzar cerques de DNS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Valors admesos:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "ipv4_first: Intenta resoldre l'adreça IPv4, si falla, intenta IPv6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "ipv4_only: Intenta resoldre només noms màquina a adreces IPv4." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "ipv6_first: Intenta resoldre l'adreça IPv6, si falla, intenta IPv4" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "ipv6_only: Intenta resoldre només noms màquina a adreces IPv6." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Per defecte: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3619,25 +3706,25 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Per defecte: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -3646,52 +3733,52 @@ msgstr "" "del domini de la consulta DNS del servei de descobriment." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "Per defecte: Utilitza la part del domini del nom de màquina" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "case_sensitive (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "True" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "False" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3699,7 +3786,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3708,17 +3795,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "subdomain_inherit (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3726,34 +3813,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "ignore_group_members" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "ldap_purge_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "ldap_user_principal" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3763,32 +3850,32 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3798,34 +3885,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "Per defecte: <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3834,19 +3921,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3854,24 +3941,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3880,24 +3967,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3907,14 +3994,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3922,21 +4009,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3944,7 +4031,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3953,7 +4040,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3962,7 +4049,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3973,17 +4060,17 @@ msgstr "" "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "El servidor intermediari on reenvia PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -3992,12 +4079,12 @@ msgstr "" "de pam existent o crear-ne una de nova i afegir aquí el nom del servei." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -4008,12 +4095,12 @@ msgstr "" "format _nss_$(libName)_$(function), per exemple _nss_files_getpwent." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4022,12 +4109,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4035,7 +4122,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4044,12 +4131,12 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4066,7 +4153,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4074,17 +4161,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4093,7 +4180,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4103,7 +4190,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4123,12 +4210,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "La secció del domini local" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4139,29 +4226,29 @@ msgstr "" "<replaceable>id_provider = local</replaceable>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" "El shell predeterminat per als usuaris que es creen amb eines de l'espai " "d'usuari de l'SSSD." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Per defecte: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4170,46 +4257,46 @@ msgstr "" "replaceable> i utilitzen aquest com el directori inicial." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Per defecte: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (booleà)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Per defecte: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (booleà)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (enter)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4220,17 +4307,17 @@ msgstr "" "defecte en un directori inicial acabat de crear." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Per defecte: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4243,17 +4330,17 @@ msgstr "" "manvolnum></citerefentry>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Per defecte: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4264,17 +4351,17 @@ msgstr "" "suprimit. Si no s'especifica, s'utilitzarà un valor per defecte." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Per defecte: <filename>/var/correu</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4285,17 +4372,17 @@ msgstr "" "té en compte." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Per defecte: Cap, no s'executa cap comanda" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4306,69 +4393,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4381,7 +4468,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4389,7 +4476,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4398,55 +4485,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4455,17 +4542,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4473,26 +4560,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4501,17 +4588,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4521,7 +4608,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4530,59 +4617,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4590,14 +4677,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4605,7 +4692,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4613,12 +4700,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4672,7 +4759,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4681,7 +4768,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4689,7 +4776,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4700,7 +4787,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4714,7 +4801,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4783,12 +4870,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "OPCIONS DE CONFIGURACIÓ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4798,33 +4885,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<host>[:port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "exemple: ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4833,67 +4920,67 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "Per habilitar el servei descobriment s'ha d'establir " "ldap_chpass_dns_service_name." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Per defecte: buit, és a dir, s'utilitza ldap_uri." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" "El DN base per defecte a utilitzar per realitzar operacions d'usuari d'LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Exemples:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -4902,7 +4989,7 @@ msgstr "" "(host=thishost)?dc=exemple.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4911,7 +4998,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4922,12 +5009,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4935,32 +5022,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4971,37 +5058,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Per defecte: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5010,58 +5097,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" "El vincle DN per defecte per utilitzar en realitzar les operacions d'LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "El tipus de testimoni d'autenticació del vincle DN per defecte." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "Els dos mecanismes suportats actualment són:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "contrasenya" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Per defecte: password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5070,11312 +5157,11594 @@ msgstr "" "text contrasenyes estan suportats actualment." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "La classe d'objecte d'una entrada d'usuari a LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Per defecte: posixAccount" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "L'atribut LDAP que correspon al nom de compte de l'usuari." +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" +"Alguns servidors de directori, per exemple Active Directory, podria entregar " +"la part de l'àmbit de l'UPN en minúscules, que podria provocar que " +"l'autenticació fallàs. Definiu aquesta opció a un valor diferent de zero si " +"voleu utilitzar un àmbit en majúscules." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (cadena)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" -"L'atribut LDAP que correspon al númerdo de l'identificador de l'usuari." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "Per defecte: uidNumber" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (cadena)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" -"L'atribut LDAP que correspon a l'identificador del grup primari de l'usuari." +"Determina cada quant es comprova la memòria cau per entrades inactives " +"(grups sense membres i usuaris que mai no han iniciat una sessió) i eliminar-" +"los per estalviar espai." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "Per defecte: gidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" +"Si ldap_schema s'estableix a un format d'esquema que admeti els grups niats " +"(p. ex. RFC2307bis), llavors aquesta opció controla quants nivells de " +"nidificació seguirà l'SSSD. Aquesta opció no té cap efecte sobre l'esquema " +"RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (cadena)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Per defecte: 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "L'atribut LDAP que correspon al camp gecos de l'usuari." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "Per defecte: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (cadena)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." -msgstr "L'atribut LDAP que conté el nom del directori inicial de l'usuari." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." -msgstr "L'atribut LDAP que conté el camí al shell per defecte de l'usuari." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Per defecte: el valor de <emphasis>ldap_search_base</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Per defecte: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "ldap_user_uuid (cadena)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (cadena)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (cadena)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" -"L'atribut LDAP que conté la data i hora de l'última modificació de l'objecte " -"pare." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Per defecte: modifyTimestamp" +"Especifica el temps d'espera (en segons) després que el " +"<citerefentry><refentrytitle>sondeig</refentrytitle> <manvolnum>2</" +"manvolnum></citerefentry>/<citerefentry><refentrytitle>selecció</" +"refentrytitle> <manvolnum>2</manvolnum></citerefentry> seguit d'una " +"<citerefentry><refentrytitle>connexió</refentrytitle> <manvolnum>2</" +"manvolnum></citerefentry> retorna en cas de cap activitat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (cadena)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" -"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " -"atribut d'LDAP corresponent al seu homòleg " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> (data de l'últim canvi de contrasenya)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Per defecte: shadowLastChange" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (cadena)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " -"atribut d'LDAP corresponent al seu homòleg " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> (edat mínima de la contrasenya)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Per defecte: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "Per defecte: 900 (15 minuts)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (cadena)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " -"atribut d'LDAP corresponent al seu homòleg " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> (edat màxima de la contrasenya)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Per defecte: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Per defecte: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (cadena)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " -"atribut d'LDAP corresponent al seu homòleg " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> (període d'advertència de contrasenya)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Per defecte: shadowWarning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " -"atribut d'LDAP corresponent al seu homòleg " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> (període d'inactivitat de contrasenya)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Per defecte: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (cadena)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" -"En utilitzar ldap_pwd_policy=shadow o ldap_account_expire_policy=shadow, " -"aquest paràmetre conté el nom d'un atribut d'LDAP corresponent al seu " -"homòleg <citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> (data de caducitat del compte)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Per defecte: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (cadena)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"En utilitzar ldap_pwd_policy=mit_kerberos, aquest paràmetre conté el nom " -"d'un atribut d'LDAP que emmagatzema la data i hora del darrer canvi de " -"contrasenya en kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Per defecte: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (cadena)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"En utilitzar ldap_pwd_policy=mit_kerberos, aquest paràmetre conté el nom " -"d'un atribut d'LDAP que emmagatzema la data i hora d'expiració de la " -"contrasenya actual." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Per defecte: krbPasswordExpiration" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (cadena)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "Per defecte: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (cadena)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" +"Especifica quines comprovacions s'han de realitzar sobre els certificats de " +"servidor en una sessió TLS, si s'escau. Es pot especificar com un dels " +"valors següents:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "Per defecte: userAccountControl" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = El client no demanarà o comprovarà cap " +"certificat del servidor." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:651 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = El certificat del servidor se sol·licitarà. Si " +"no es proporciona cap certificat, la sessió avança normalment. Si es " +"proporciona un certificat dolent, s'ignorarà i la sessió procedirà " +"normalment." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:658 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" +"<emphasis>try</emphasis> = El certificat del servidor se sol·licitarà. Si no " +"es proporciona cap certificat, la sessió avança normalment. Si es " +"proporciona un certificat dolent, immediatament s'acaba la sessió." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" +#: sssd-ldap.5.xml:664 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" +"<emphasis>demand</emphasis> = El certificat del servidor se sol·licitarà. Si " +"no es proporciona cap certificat, o se'n proporciona un de dolent, " +"immediatament s'acaba la sessió." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Per defecte: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (cadena)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" +"Especifica el fitxer que conté els certificats per a totes les Autoritats de " +"Certificació que reconeixerà l'<command>sssd</command>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "Per defecte: loginDisabled" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Per defecte: Utilitza els valors per defecte d'OpenLDAP, normalment a " +"<filename>/etc/openldap/ldap.conf</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (cadena)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:698 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" +"Especifica el camí al directori que conté els certificats de l'autoritat " +"certificadora en fitxers separats independents. Normalment els noms dels " +"fitxers són el hash del certificat seguit de '. 0'. Si està disponible, " +"<command>cacertdir_rehash</command> es pot utilitzar per crear els noms " +"correctes." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (cadena)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (cadena)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "Per defecte: loginAllowedTimeMap" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (cadena)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:741 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -"L'atribut LDAP que conté el Nom Principal d'Usuari (UPN) de l'usuari de " -"Kerberos." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Per defecte: krbPrincipalName" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "ldap_user_extra_attrs (cadena)" +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 +#: sssd-ldap.5.xml:757 msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" +"Especifica que la connexió id_provider també ha d'utilitzar <systemitem " +"class=\"protocol\">tls</systemitem> per a protegir el canal." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 +#: sssd-ldap.5.xml:770 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:789 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" -msgstr "ldap_user_extra_attrs = phone:telephoneNumber" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (cadena)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:810 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" -msgstr "Per defecte: sshPublicKey" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:814 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Alguns servidors de directori, per exemple Active Directory, podria entregar " -"la part de l'àmbit de l'UPN en minúscules, que podria provocar que " -"l'autenticació fallàs. Definiu aquesta opció a un valor diferent de zero si " -"voleu utilitzar un àmbit en majúscules." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (enter)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (enter)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:833 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -"Determina cada quant es comprova la memòria cau per entrades inactives " -"(grups sense membres i usuaris que mai no han iniciat una sessió) i eliminar-" -"los per estalviar espai." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (cadena)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "L'atribut LDAP que correspon al nom complet de l'usuari." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Per defecte: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "Per defecte: el valor de krb5_realm." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (cadena)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." -msgstr "L'atribut LDAP que llista la pertanença a grups de l'usuari." +#: sssd-ldap.5.xml:877 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "Per defecte: memberOf" +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Per defecte: false;" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (cadena)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 -msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" -"Si access_provider=ldap i ldap_access_order=authorized_service, l'SSSD farà " -"servir la presència de l'atribut authorizedService a l'entrada LDAP de " -"l'usuari per determinar els privilegis d'accés." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" -"Una denegació explícita (!svc) es resol en primer lloc. En segon lloc, " -"l'SSSD cerca autoritzacions explícites (svc) i, finalment, allow_all (*)." +"Per defecte: Fitxer keytab de sistema, normalment <filename>/etc/krb5." +"keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:904 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (enter)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:919 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "Per defecte: authorizedService" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Per defecte: 86400 (24 hores)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (cadena)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" +"Quan s'utilitza el servei de descobriment per als servidors KDC o kpasswd, " +"l'SSSD primer cerca les entrades DNS que especifiquen _udp com el protocol i " +"retorna a _tcp si no se'n troba cap." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" +"Aquesta opció s'anomenava <quote>krb5_kdcip</quote> en les primeres versions " +"de l'SSSD. Mentre que el nom antic és reconegut de moment, s'aconsella als " +"usuaris que migrin els seus fitxers de configuració per utilitzar " +"<quote>krb5_server</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 -msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 -msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" +"Per defecte: Paràmetres predeterminats del sistema, vegeu <filename>/etc/" +"krb5.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" -msgstr "ldap_user_certificate (cadena)" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" +"Selecciona la política per avaluar la caducitat de la contrasenya en el " +"costat del client. S'admeten els valors següents:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1022 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" +"<emphasis>none</emphasis> - Cap avaluació del costat del client. Aquesta " +"opció no inhabilita les polítiques de contrasenya de servidor." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (cadena)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "La classe d'objecte d'una entrada de grup a LDAP." +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> - Usa els atributs utilitzats per MIT " +"Kerberos per determinar si la contrasenya ha caducat. Utilitza " +"chpass_provider=krb5 per actualitzar aquests atributs quan es canvia la " +"contrasenya." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Per defecte: posixGroup" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (cadena)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "L'atribut LDAP que es correspon amb el nom del grup." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" +"Especifica si el seguiment automàtic del referenciador s'hauria d'habilitar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (cadena)" +"Tingueu en compte que l'sssd només admet l'encadenament de les referències " +"quan es compila amb la versió 2.4.13 o superiors d'OpenLDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "L'atribut LDAP que correspon a l'identificador del grup." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (cadena)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "L'atribut LDAP que conté els noms dels membres del grup." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"Especifica el nom de servei per utilitzar quan està habilitada la detecció " +"de serveis." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "Per defecte: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Per defecte: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" -msgstr "ldap_group_uuid (cadena)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Especifica el nom del servei a utilitzar per trobar un servidor LDAP que " +"permeti els canvis de contrasenyes quan estigui habilitat el descobriment " +"dels serveis." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" +"Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (cadena)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1106 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (cadena)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" -msgstr "ldap_group_type (enter)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Exemple:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1148 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1153 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "Per defecte: Buit" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" +"Amb aquesta opció es pot habilitar una avaluació del costat de client " +"d'atributs de control d'accés." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" +"Si us plau, tingueu en compte que sempre és recomanable utilitzar el control " +"d'accés del costat de servidor, és a dir, el servidor d'LDAP hauria de " +"denegar la petició de vincle amb un codi d'error adequat fins i tot si la " +"contrasenya és correcta." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (enter)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "S'admeten els valors següents:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1184 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" -"Si ldap_schema s'estableix a un format d'esquema que admeti els grups niats " -"(p. ex. RFC2307bis), llavors aquesta opció controla quants nivells de " -"nidificació seguirà l'SSSD. Aquesta opció no té cap efecte sobre l'esquema " -"RFC2307." +"<emphasis>shadow</emphasis>: utilitza el valor ldap_user_shadow_expire per " +"determinar si el compte ha caducat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1189 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1196 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Per defecte: 2" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1202 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "La classe d'objecte d'una entrada de netgroup a LDAP." +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" +"Llista separada per comes d'opcions de control d'accés. Els valors permesos " +"són:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "Per defecte: nisNetgroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "L'atribut LDAP que es correspon amb el nom del netgroup." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: utilitza ldap_access_filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (cadena)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." -msgstr "L'atribut LDAP que conté els noms dels membres del netgroup." +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "Per defecte: memberNisNetgroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (cadena)" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: utilitza ldap_account_expire_policy" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1272 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -"L'atribut LDAP que conté les tripletes netgroup (maquina, usuari, domini)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Per defecte: nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "Per defecte: ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" +"<emphasis>authorized_service</emphasis>: utilitza l'atribut " +"authorizedService per determinar l'accés" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1308 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" -msgstr "" +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Per defecte: filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" +"Si us plau, tingueu en compte que és un error de configuració si un valor " +"s'utilitza més d'una vegada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 -msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." -msgstr "" +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Exemple: cn=ppolicy,ou=policies,dc=exemple,dc=com" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "Per defecte: el valor de <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "Per defecte: cn=ppolicy,ou=policies,$ldap_search_base" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" -msgstr "" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#: sssd-ldap.5.xml:1350 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" +"Especifica com es realitza l'eliminació de les referències dels àlies quan " +"es fa una cerca. S'admeten les opcions següents:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (cadena)" +"<emphasis>never</emphasis>: les referències dels àlies mai són eliminades." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (cadena)" +"<emphasis>searching</emphasis>: les referències dels àlies són eliminades en " +"subordinats de l'objecte base, però no en la localització de l'objecte base " +"de la cerca." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1364 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (cadena)" +"<emphasis>finding</emphasis>: les referències dels àlies són eliminades " +"només en localitzar l'objecte base de la cerca." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" +"<emphasis>always</emphasis>: les referències dels àlies són eliminades tant " +"en la recerca i en la localització de l'objecte base de la cerca." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "Per defecte: ipServicePort" +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Per defecte: Buit (això es tractarà com a <emphasis>never</emphasis> amb les " +"biblioteques de client LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (cadena)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1385 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "Per defecte: ipServiceProtocol" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (enter)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1389 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1400 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (enter)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1415 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (enter)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Especifica el temps d'espera (en segons) després que el " -"<citerefentry><refentrytitle>sondeig</refentrytitle> <manvolnum>2</" -"manvolnum></citerefentry>/<citerefentry><refentrytitle>selecció</" -"refentrytitle> <manvolnum>2</manvolnum></citerefentry> seguit d'una " -"<citerefentry><refentrytitle>connexió</refentrytitle> <manvolnum>2</" -"manvolnum></citerefentry> retorna en cas de cap activitat." +"Totes les opcions comunes de configuració que s'apliquen als dominis SSD " +"també s'apliquen als dominis LDAP. Referiu-vos a la secció <quote>SECCIONS " +"DE DOMINI</quote> de la pàgina de manual de <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> per a tots els detalls. <placeholder type=\"variablelist\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (enter)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "OPCIONS DE SUDO" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (enter)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "Per defecte: 900 (15 minuts)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (enter)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1454 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Per defecte: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "Per defecte: 21600 (6 hores)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (booleà)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1468 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1474 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1478 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#: sssd-ldap.5.xml:1498 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (enter)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#: sssd-ldap.5.xml:1512 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (enter)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (cadena)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#: sssd-ldap.5.xml:1536 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#: sssd-ldap.5.xml:1541 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (cadena)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 +#: sssd-ldap.5.xml:1559 msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"Especifica quines comprovacions s'han de realitzar sobre els certificats de " -"servidor en una sessió TLS, si s'escau. Es pot especificar com un dels " -"valors següents:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#: sssd-ldap.5.xml:1577 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"<emphasis>never</emphasis> = El client no demanarà o comprovarà cap " -"certificat del servidor." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -"<emphasis>allow</emphasis> = El certificat del servidor se sol·licitarà. Si " -"no es proporciona cap certificat, la sessió avança normalment. Si es " -"proporciona un certificat dolent, s'ignorarà i la sessió procedirà " -"normalment." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -"<emphasis>try</emphasis> = El certificat del servidor se sol·licitarà. Si no " -"es proporciona cap certificat, la sessió avança normalment. Si es " -"proporciona un certificat dolent, immediatament s'acaba la sessió." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "OPCIONS D'AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1611 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" -"<emphasis>demand</emphasis> = El certificat del servidor se sol·licitarà. Si " -"no es proporciona cap certificat, o se'n proporciona un de dolent, " -"immediatament s'acaba la sessió." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Per defecte: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (cadena)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 -msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" -"Especifica el fitxer que conté els certificats per a totes les Autoritats de " -"Certificació que reconeixerà l'<command>sssd</command>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 -msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" -msgstr "" -"Per defecte: Utilitza els valors per defecte d'OpenLDAP, normalment a " -"<filename>/etc/openldap/ldap.conf</filename>" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "Per defecte: auto.master" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "OPCIONS AVANÇADES" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (cadena)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 -msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." -msgstr "" -"Especifica el camí al directori que conté els certificats de l'autoritat " -"certificadora en fitxers separats independents. Normalment els noms dels " -"fitxers són el hash del certificat seguit de '. 0'. Si està disponible, " -"<command>cacertdir_rehash</command> es pot utilitzar per crear els noms " -"correctes." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (cadena)" +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" +msgstr "</note>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (cadena)" +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (booleà)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPLE" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -"Especifica que la connexió id_provider també ha d'utilitzar <systemitem " -"class=\"protocol\">tls</systemitem> per a protegir el canal." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (booleà)" +"L'exemple següent presuposa que l'SSSD està correctament configurat i l'LDAP " +"està definit com a un dels dominis a la secció <replaceable>[domains]</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." -msgstr "" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (cadena)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTES" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" +"Les descripcions d'algunes de les opcions de configuració en aquesta pàgina " +"del manual es basen en la pàgina del manual <citerefentry>de " +"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> de la distribució d'OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Mòdul de PAM per SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" +"<command>pam_sss.so</command> és la interfície PAM a l'SSSD (System Security " +"Services daemon). Els errors i els resultats es registren a través de " +"<command>syslog(3)</command> amb el canal LOG_AUTHPRIV." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "Suprimeix el registre dels missatges per als usuaris desconeguts." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" +"Si s'estableix <option>forward_pass</option>, la contrasenya que " +"s'introdueix es posa a la pila perquè els altres mòduls del PAM l'utilitzin." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "Per defecte: el valor de krb5_realm." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (booleà)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" +"L'argument use_first_pass obliga al mòdul que utilitzi una contrasenya " +"apilada anteriorment dels mòduls i mai ho demanarà l'usuari - si no hi ha " +"cap contrasenya o no és correcta, es denegarà l'accés a l'usuari." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Per defecte: false;" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" +"Quan el canvi de contrasenya força al mòdul a establir la nova contrasenya a " +"la proporcionada per un mòdul de contrasenya prèviament apilat." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" -msgstr "" -"Per defecte: Fitxer keytab de sistema, normalment <filename>/etc/krb5." -"keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (booleà)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"Si s'especifica, en cas de fallar l'autenticació a l'usuari se li demanarà N " +"vegades més una contrasenya. Per defecte és 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" +"Si us plau, tingueu en compte que aquesta opció podria no funcionar com " +"s'espera si l'aplicació que crida PAM gestiona pel seu compte el diàleg amb " +"l'usuari. Un exemple típic és <command>sshd</command> amb " +"<option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (enter)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" +"Si s'especifica aquesta opció i no existeix l'usuari, el mòdul PAM retornarà " +"PAM_IGNORE. Això provoca que el marc de treball del PAM ignori aquest mòdul." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Per defecte: 86400 (24 hores)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" +"Especifica que el mòdul PAM ha de retornar PAM_IGNORE si no pot contactar " +"amb el domini SSSD. Això provoca que el marc de treball del PAM ignori " +"aquest mòdul." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" +msgstr "<option>domains</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -"Quan s'utilitza el servei de descobriment per als servidors KDC o kpasswd, " -"l'SSSD primer cerca les entrades DNS que especifiquen _udp com el protocol i " -"retorna a _tcp si no se'n troba cap." +"Permet a l'administrador que restringeixi els dominis que un servei PAM " +"concret pot autentificar-s'hi. El format és una llista separada per comes " +"dels noms dels dominis SSSD, com s'especifica al fitxer sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -"Aquesta opció s'anomenava <quote>krb5_kdcip</quote> en les primeres versions " -"de l'SSSD. Mentre que el nom antic és reconegut de moment, s'aconsella als " -"usuaris que migrin els seus fitxers de configuració per utilitzar " -"<quote>krb5_server</quote>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (cadena)" +"NOTA: Ha d'utilitzar-se juntament amb les opcions <quote>pam_trusted_users</" +"quote> i <quote>pam_public_domains</quote>. Si us plau, vegeu la pàgina del " +"manual de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> per a més informació sobre aquestes " +"dues opcions del contestador del PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -"Per defecte: Paràmetres predeterminats del sistema, vegeu <filename>/etc/" -"krb5.conf</filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (booleà)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -"Selecciona la política per avaluar la caducitat de la contrasenya en el " -"costat del client. S'admeten els valors següents:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -"<emphasis>none</emphasis> - Cap avaluació del costat del client. Aquesta " -"opció no inhabilita les polítiques de contrasenya de servidor." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"<emphasis>mit_kerberos</emphasis> - Usa els atributs utilitzats per MIT " -"Kerberos per determinar si la contrasenya ha caducat. Utilitza " -"chpass_provider=krb5 per actualitzar aquests atributs quan es canvia la " -"contrasenya." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." -msgstr "" -"Especifica si el seguiment automàtic del referenciador s'hauria d'habilitar." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "TIPUS DE MÒDULS PROPORCIONATS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -"Tingueu en compte que l'sssd només admet l'encadenament de les referències " -"quan es compila amb la versió 2.4.13 o superiors d'OpenLDAP." +"Es proporcionen tots els tipus de mòduls (<option>account</option>, " +"<option>auth</option>, <option>password</option> i <option>session</option>)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "FITXERS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"Especifica el nom de servei per utilitzar quan està habilitada la detecció " -"de serveis." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Per defecte: ldap" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (cadena)" +"Si falla el restabliment d'una contrasenya per root, perquè el proveïdor " +"SSSD corresponent no admet el restabliment de les contrasenyes, es pot " +"mostrar un missatge concret. Aquest missatge per exemple pot contenir les " +"instruccions sobre com es restableix una contrasenya." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"Especifica el nom del servei a utilitzar per trobar un servidor LDAP que " -"permeti els canvis de contrasenyes quan estigui habilitat el descobriment " -"dels serveis." +"El missatge es llegeix del fitxer <filename>pam_sss_pw_reset_message.LOC</" +"filename> on LOC representa una cadena de la configuració regional retornada " +"amb <citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" +"manvolnum> </citerefentry>. Si no hi ha cap coincidència, es mostra el " +"contingut del fitxer <filename>pam_sss_pw_reset_message.txt</filename>. El " +"propietari dels fitxers ha de ser root i tan sols root ha de tenir els " +"permisos de lectura i escriptura, mentre que tots els altres usuaris " +"únicament han de tenir els permisos de lectura." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -"Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat" +"Aquests fitxers se cerquen al directori <filename>/etc/sssd/customize/" +"NOM_DOMINI/</filename>. Si no hi ha present cap fitxer que hi coincideixi, " +"es mostrarà un missatge genèric." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (booleà)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Exemple:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 -msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "Per defecte: Buit" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -"Amb aquesta opció es pot habilitar una avaluació del costat de client " -"d'atributs de control d'accés." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 -msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -"Si us plau, tingueu en compte que sempre és recomanable utilitzar el control " -"d'accés del costat de servidor, és a dir, el servidor d'LDAP hauria de " -"denegar la petició de vincle amb un codi d'error adequat fins i tot si la " -"contrasenya és correcta." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "S'admeten els valors següents:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -"<emphasis>shadow</emphasis>: utilitza el valor ldap_user_shadow_expire per " -"determinar si el compte ha caducat." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" +"No totes les implementacions del Kerberos admeten l'ús de connectors. Si " +"<command>sssd_krb5_locator_plugin</command> no estigués disponible al vostre " +"sistema, heu d'editar /etc/krb5.conf per reflectir la vostra configuració " +"del Kerberos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -"Llista separada per comes d'opcions de control d'accés. Els valors permesos " -"són:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filter</emphasis>: utilitza ldap_access_filter" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 -msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 -msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" +"el fitxer de configuració per al proveïdor de control d'accés 'simple' de " +"l'SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "<emphasis>expire</emphasis>: utilitza ldap_account_expire_policy" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" +"En aquesta pàgina del manual es descriu la configuració del proveïdor de " +"control d'accés simple per a <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum></citerefentry>. Per a una " +"referència detallada de la sintaxi, aneu a la secció <quote>FORMAT DEL " +"FITXER</quote> de la pàgina del manual <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" +"El proveïdor d'accés simple concedeix o denega l'accés basat en una llista " +"d'accés o denegació dels noms dels usuaris o dels noms dels grups. " +"S'apliquen les regles següents:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 -msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Si totes les llistes estan buides, es concedeix l'accés" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" +"Si es proporciona alguna llista, l'ordre d'avaluació és permissió, " +"denegació. Això vol dir que qualsevol coincidència amb la regla de denegació " +"reemplaçarà qualsevol coincidència amb la regla de permissió." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" -msgstr "" -"<emphasis>authorized_service</emphasis>: utilitza l'atribut " -"authorizedService per determinar l'accés" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" +"Si es proporcionen una o ambdues llistes de \"permissió\", tots els usuaris " +"són denegats excepte els que apareixen a la llista." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" +"Si només es proporcionen llistes de \"denegació\", es concedeix l'accés a " +"tots els usuaris excepte els que apareixen a la llista." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 -msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" +"Llista separada per comes dels usuaris a qui se'ls permet iniciar la sessió." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Per defecte: filter" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" -"Si us plau, tingueu en compte que és un error de configuració si un valor " -"s'utilitza més d'una vegada." +"Llista separada per comes dels usuaris a qui se'ls denega explícitament " +"l'accés." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" -msgstr "ldap_pwdlockout_dn (cadena)" +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#: sssd-simple.5.xml:100 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" -msgstr "Exemple: cn=ppolicy,ou=policies,dc=exemple,dc=com" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" -msgstr "Per defecte: cn=ppolicy,ou=policies,$ldap_search_base" +"Llista separada per comes dels grups a qui se'ls permet iniciar la sessió. " +"Això s'aplica únicament als grups dins d'aquest domini SSSD. No s'avaluen " +"els grups locals." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (cadena)" +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#: sssd-simple.5.xml:111 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" -msgstr "" -"Especifica com es realitza l'eliminació de les referències dels àlies quan " -"es fa una cerca. S'admeten les opcions següents:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -"<emphasis>never</emphasis>: les referències dels àlies mai són eliminades." +"Llista separada per comes dels grups a qui se'ls denega explícitament " +"l'accés. Això s'aplica únicament als grups dins d'aquest domini SSSD. No " +"s'avaluen els grups locals." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<emphasis>searching</emphasis>: les referències dels àlies són eliminades en " -"subordinats de l'objecte base, però no en la localització de l'objecte base " -"de la cerca." +"Per a més informació sobre la configuració d'un domini SSSD, consulteu la " +"secció <quote>SECCIONS DELS DOMINIS</quote> de la pàgina del manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -"<emphasis>finding</emphasis>: les referències dels àlies són eliminades " -"només en localitzar l'objecte base de la cerca." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -"<emphasis>always</emphasis>: les referències dels àlies són eliminades tant " -"en la recerca i en la localització de l'objecte base de la cerca." +"Si us plau, tingueu en compte que és un error de configuració si es " +"defineixen alhora simple_allow_users i simple_deny_users." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -"Per defecte: Buit (això es tractarà com a <emphasis>never</emphasis> amb les " -"biblioteques de client LDAP)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (booleà)" +"En el següent exemple s'assumeix que l'SSD està configurat correctament i " +"que exemple.com és un dels dominis de la secció <replaceable>[sssd]</" +"replaceable>. En aquest exemple es mostren únicament les opcions " +"específiques del proveïdor d'accés simple." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" +"[domini/exemple.com]\n" +"access_provider = simple\n" +"simple_allow_users = usuari1, usuari2\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" +"La jerarquia completa de la pertinença a un grup es resol abans de la " +"comprovació de l'accés, de manera que fins i tot els grups imbricats es " +"poden incloure a les llistes d'accés. Si us plau, tingueu cura que l'opció " +"<quote>ldap_group_nesting_level</quote> pot influir amb els resultats i s'ha " +"d'establir amb un valor suficient. L'opció (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#: sss-certmap.5.xml:28 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -"Totes les opcions comunes de configuració que s'apliquen als dominis SSD " -"també s'apliquen als dominis LDAP. Referiu-vos a la secció <quote>SECCIONS " -"DE DOMINI</quote> de la pàgina de manual de <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> per a tots els detalls. <placeholder type=\"variablelist\" id=" -"\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "OPCIONS DE SUDO" +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "Per defecte: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "Per defecte: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "Per defecte: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "Per defecte: sudoUser" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "Per defecte: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "Per defecte: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "Per defecte: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "Per defecte: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "Per defecte: sudoNotAfter" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "Per defecte: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (enter)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "Per defecte: 21600 (6 hores)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (enter)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "ldap_sudo_include_netgroups (booleà)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (booleà)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "OPCIONS D'AUTOFS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 -msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" -msgstr "ldap_autofs_map_master_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" -msgstr "Per defecte: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 -msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 -msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 -msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 -msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "OPCIONS AVANÇADES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" -msgstr "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" -msgstr "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "EXEMPLE" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -"L'exemple següent presuposa que l'SSSD està correctament configurat i l'LDAP " -"està definit com a un dels dominis a la secció <replaceable>[domains]</" -"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -"Les descripcions d'algunes de les opcions de configuració en aquesta pàgina " -"del manual es basen en la pàgina del manual <citerefentry>de " -"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum></" -"citerefentry> de la distribució d'OpenLDAP 2.4." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "Mòdul de PAM per SSSD" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -"<command>pam_sss.so</command> és la interfície PAM a l'SSSD (System Security " -"Services daemon). Els errors i els resultats es registren a través de " -"<command>syslog(3)</command> amb el canal LOG_AUTHPRIV." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "Suprimeix el registre dels missatges per als usuaris desconeguts." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -"Si s'estableix <option>forward_pass</option>, la contrasenya que " -"s'introdueix es posa a la pila perquè els altres mòduls del PAM l'utilitzin." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -"L'argument use_first_pass obliga al mòdul que utilitzi una contrasenya " -"apilada anteriorment dels mòduls i mai ho demanarà l'usuari - si no hi ha " -"cap contrasenya o no és correcta, es denegarà l'accés a l'usuari." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -"Quan el canvi de contrasenya força al mòdul a establir la nova contrasenya a " -"la proporcionada per un mòdul de contrasenya prèviament apilat." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -"Si s'especifica, en cas de fallar l'autenticació a l'usuari se li demanarà N " -"vegades més una contrasenya. Per defecte és 0." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 -msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -"Si us plau, tingueu en compte que aquesta opció podria no funcionar com " -"s'espera si l'aplicació que crida PAM gestiona pel seu compte el diàleg amb " -"l'usuari. Un exemple típic és <command>sshd</command> amb " -"<option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" -msgstr "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -"Si s'especifica aquesta opció i no existeix l'usuari, el mòdul PAM retornarà " -"PAM_IGNORE. Això provoca que el marc de treball del PAM ignori aquest mòdul." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" -msgstr "<option>ignore_authinfo_unavail</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -"Especifica que el mòdul PAM ha de retornar PAM_IGNORE si no pot contactar " -"amb el domini SSSD. Això provoca que el marc de treball del PAM ignori " -"aquest mòdul." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" -msgstr "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -"Permet a l'administrador que restringeixi els dominis que un servei PAM " -"concret pot autentificar-s'hi. El format és una llista separada per comes " -"dels noms dels dominis SSSD, com s'especifica al fitxer sssd.conf." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -"NOTA: Ha d'utilitzar-se juntament amb les opcions <quote>pam_trusted_users</" -"quote> i <quote>pam_public_domains</quote>. Si us plau, vegeu la pàgina del " -"manual de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> per a més informació sobre aquestes " -"dues opcions del contestador del PAM." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 -msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "TIPUS DE MÒDULS PROPORCIONATS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 -msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -"Es proporcionen tots els tipus de mòduls (<option>account</option>, " -"<option>auth</option>, <option>password</option> i <option>session</option>)." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "FITXERS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -"Si falla el restabliment d'una contrasenya per root, perquè el proveïdor " -"SSSD corresponent no admet el restabliment de les contrasenyes, es pot " -"mostrar un missatge concret. Aquest missatge per exemple pot contenir les " -"instruccions sobre com es restableix una contrasenya." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 -msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -"El missatge es llegeix del fitxer <filename>pam_sss_pw_reset_message.LOC</" -"filename> on LOC representa una cadena de la configuració regional retornada " -"amb <citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" -"manvolnum> </citerefentry>. Si no hi ha cap coincidència, es mostra el " -"contingut del fitxer <filename>pam_sss_pw_reset_message.txt</filename>. El " -"propietari dels fitxers ha de ser root i tan sols root ha de tenir els " -"permisos de lectura i escriptura, mentre que tots els altres usuaris " -"únicament han de tenir els permisos de lectura." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -"Aquests fitxers se cerquen al directori <filename>/etc/sssd/customize/" -"NOM_DOMINI/</filename>. Si no hi ha present cap fitxer que hi coincideixi, " -"es mostrarà un missatge genèric." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 -msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Proveïdor d'IPA de l'SSSD" + #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#: sssd-ipa.5.xml:23 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"No totes les implementacions del Kerberos admeten l'ús de connectors. Si " -"<command>sssd_krb5_locator_plugin</command> no estigués disponible al vostre " -"sistema, heu d'editar /etc/krb5.conf per reflectir la vostra configuració " -"del Kerberos." +"En aquesta pàgina del manual es descriu la configuració del proveïdor IPA " +"per a <citerefentry><refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry>. Per una referència detallada sintaxi, aneu a la " +"secció de <quote>FORMAT DE FITXER</quote> de la pàgina del manual " +"<citerefentry>d'<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#: sssd-ipa.5.xml:36 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" +"El proveïdor d'IPA és un programari especialitzat que s'utilitza per " +"connectar a un servidor IPA. (Consulteu el lloc web freeipa.org per obtenir " +"informació sobre els servidors IPA). Aquest proveïdor requereix que " +"s'afegeixi la màquina al domini d'IPA; la configuració s'autodescobreix " +"gairebé totalment i s'obté directament del servidor." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#: sssd-ipa.5.xml:43 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#: sssd-ipa.5.xml:57 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -"el fitxer de configuració per al proveïdor de control d'accés 'simple' de " -"l'SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#: sssd-ipa.5.xml:67 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -"En aquesta pàgina del manual es descriu la configuració del proveïdor de " -"control d'accés simple per a <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum></citerefentry>. Per a una " -"referència detallada de la sintaxi, aneu a la secció <quote>FORMAT DEL " -"FITXER</quote> de la pàgina del manual <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#: sssd-ipa.5.xml:73 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -"El proveïdor d'accés simple concedeix o denega l'accés basat en una llista " -"d'accés o denegació dels noms dels usuaris o dels noms dels grups. " -"S'apliquen les regles següents:" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Si totes les llistes estan buides, es concedeix l'accés" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -"Si es proporciona alguna llista, l'ordre d'avaluació és permissió, " -"denegació. Això vol dir que qualsevol coincidència amb la regla de denegació " -"reemplaçarà qualsevol coincidència amb la regla de permissió." +"Especifica el nom del domini IPA. És opcional. Si no se n'especifica cap, " +"s'utilitza el nom de domini de la configuració." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 -msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." -msgstr "" -"Si es proporcionen una o ambdues llistes de \"permissió\", tots els usuaris " -"són denegats excepte els que apareixen a la llista." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -"Si només es proporcionen llistes de \"denegació\", es concedeix l'accés a " -"tots els usuaris excepte els que apareixen a la llista." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (cadena)" +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -"Llista separada per comes dels usuaris a qui se'ls permet iniciar la sessió." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (cadena)" +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -"Llista separada per comes dels usuaris a qui se'ls denega explícitament " -"l'accés." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#: sssd-ipa.5.xml:145 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -"Llista separada per comes dels grups a qui se'ls permet iniciar la sessió. " -"Això s'aplica únicament als grups dins d'aquest domini SSSD. No s'avaluen " -"els grups locals." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (cadena)" +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." -msgstr "" -"Llista separada per comes dels grups a qui se'ls denega explícitament " -"l'accés. Això s'aplica únicament als grups dins d'aquest domini SSSD. No " -"s'avaluen els grups locals." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -"Per a més informació sobre la configuració d'un domini SSSD, consulteu la " -"secció <quote>SECCIONS DELS DOMINIS</quote> de la pàgina del manual " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -"Si us plau, tingueu en compte que és un error de configuració si es " -"defineixen alhora simple_allow_users i simple_deny_users." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -"En el següent exemple s'assumeix que l'SSD està configurat correctament i " -"que exemple.com és un dels dominis de la secció <replaceable>[sssd]</" -"replaceable>. En aquest exemple es mostren únicament les opcions " -"específiques del proveïdor d'accés simple." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -"[domini/exemple.com]\n" -"access_provider = simple\n" -"simple_allow_users = usuari1, usuari2\n" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -"La jerarquia completa de la pertinença a un grup es resol abans de la " -"comprovació de l'accés, de manera que fins i tot els grups imbricats es " -"poden incloure a les llistes d'accés. Si us plau, tingueu cura que l'opció " -"<quote>ldap_group_nesting_level</quote> pot influir amb els resultats i s'ha " -"d'establir amb un valor suficient. L'opció (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 -msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (booleà)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (booleà)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Per defecte: False (inhabilitat)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 -msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 +msgid "" +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Per defecte: Utilitza el DN base" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "Per defecte: 5 (segons)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (enter)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (enter)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" -msgstr "" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" -msgstr "" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" +msgstr "Per defecte: nsContainer" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" -msgstr "" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Per defecte: cn" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" -msgstr "" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" +msgstr "Per defecte: ipaOverrideAnchor" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" -msgstr "" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#: sssd-ipa.5.xml:643 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" -msgstr "" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" +msgstr "Per defecte: ipaAnchorUUID" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" -msgstr "" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#: sssd-ipa.5.xml:656 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" +msgstr "ldap_user_name" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" +msgstr "ldap_user_uid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" +msgstr "ldap_user_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" +msgstr "ldap_user_gecos" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" +msgstr "ldap_user_home_directory" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" +msgstr "ldap_user_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" +msgstr "ldap_user_ssh_public_key" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" -msgstr "" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" +msgstr "Per defecte: ipaUserOverride" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" -msgstr "" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#: sssd-ipa.5.xml:696 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "ldap_group_name" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" +msgstr "ldap_group_gid_number" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" -msgstr "" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" +msgstr "Per defecte: ipaGroupOverride" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#: sssd-ipa.5.xml:596 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" +msgstr "PROVEÏDOR DELS SUBDOMINIS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 -msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 -msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 -msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 -msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" +"En el següent exemple s'assumeix que l'SSD està configurat correctament i " +"que exemple.com és un dels dominis de la secció <replaceable>[sssd]</" +"replaceable>. En aquest exemple es mostren únicament les opcions " +"específiques del proveïdor IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" +"[domini/exemple.com]\n" +"id_provider = ipa\n" +"ipa_server = servidoripa.exemple.com\n" +"ipa_hostname = elmeuanfitrio.exemple.com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "Proveïdor d'Active Directory de l'SSSD" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 -msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (cadena)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" -msgstr "Proveïdor d'IPA de l'SSSD" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -"En aquesta pàgina del manual es descriu la configuració del proveïdor IPA " -"per a <citerefentry><refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry>. Per una referència detallada sintaxi, aneu a la " -"secció de <quote>FORMAT DE FITXER</quote> de la pàgina del manual " -"<citerefentry>d'<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -"El proveïdor d'IPA és un programari especialitzat que s'utilitza per " -"connectar a un servidor IPA. (Consulteu el lloc web freeipa.org per obtenir " -"informació sobre els servidors IPA). Aquest proveïdor requereix que " -"s'afegeixi la màquina al domini d'IPA; la configuració s'autodescobreix " -"gairebé totalment i s'obté directament del servidor." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (cadena)" +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:311 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -"Especifica el nom del domini IPA. És opcional. Si no se n'especifica cap, " -"s'utilitza el nom de domini de la configuració." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (cadena)" +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (booleà)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:325 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (cadena)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:333 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" -msgstr "dyndns_update (booleà)" +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:350 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#: sssd-ad.5.xml:359 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:367 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" -msgstr "dyndns_ttl (enter)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:376 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "dyndns_iface (cadena)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:401 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:410 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:417 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" -msgstr "ipa_enable_dns_sites (booleà)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." -msgstr "" +#: sssd-ad.5.xml:463 +msgid "Default: permissive" +msgstr "Per defecte: permissive" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" +msgstr "Per defecte: enforcing" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" -msgstr "dyndns_refresh_interval (enter)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:475 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" -msgstr "dyndns_update_ptr (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 -msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:495 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "Per defecte: False (inhabilitat)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "dyndns_force_tcp (booleà)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (enter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:515 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" -msgstr "" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:531 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:549 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#: sssd-ad.5.xml:554 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" +msgstr "gdm-fingerprint" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 -msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 -msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Per defecte: Utilitza el DN base" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (cadena)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:638 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (cadena)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (cadena)" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:663 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "sshd" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" -msgstr "ipa_views_search_base (cadena)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:697 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:721 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "ftp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" +msgstr "samba" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" -msgstr "krb5_confd_path (cadena)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:755 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#: sssd-ad.5.xml:773 msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:790 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "Per defecte: 5 (segons)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" +msgstr "crond" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" -msgstr "" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:808 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (enter)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (enter)" +"ad_gpo_map_service = +my_pam_service\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" -msgstr "ipa_server_mode (booleà)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:852 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#: sssd-ad.5.xml:857 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 -msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#: sssd-ad.5.xml:889 +msgid "systemd-user" +msgstr "systemd-user" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:901 msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" +"ad_gpo_map_deny = +my_pam_service\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (cadena)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" -msgstr "ipa_view_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" -msgstr "Per defecte: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" -msgstr "ipa_view_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" -msgstr "Per defecte: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:980 +msgid "Default: deny" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" -msgstr "ipa_anchor_uuid (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:989 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" -msgstr "Per defecte: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" -msgstr "ipa_user_override_object_class (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1004 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" -msgstr "ldap_user_name" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" -msgstr "ldap_user_uid_number" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" -msgstr "ldap_user_gid_number" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" -msgstr "ldap_user_gecos" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" -msgstr "ldap_user_home_directory" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" -msgstr "ldap_user_shell" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" -msgstr "ldap_user_ssh_public_key" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" -msgstr "Per defecte: ipaUserOverride" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" -msgstr "ipa_group_override_object_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" -msgstr "ldap_group_name" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" -msgstr "ldap_group_gid_number" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" -msgstr "Per defecte: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" +msgstr "Per defecte: 3600 (segons)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "PROVEÏDOR DELS SUBDOMINIS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 -msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Per defecte: True" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd-ad.5.xml:1211 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" +"[domain/EXEMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.exemple.com\n" +"ad_hostname = client.exemple.com\n" +"ad_domain = exemple.com\n" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 +#: sssd-ad.5.xml:1238 #, no-wrap msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sssd-ad.5.xml:1234 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sssd-ad.5.xml:1244 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sssd-ad.5.xml:1252 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 -msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sssd-sudo.5.xml:94 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -"En el següent exemple s'assumeix que l'SSD està configurat correctament i " -"que exemple.com és un dels dominis de la secció <replaceable>[sssd]</" -"replaceable>. En aquest exemple es mostren únicament les opcions " -"específiques del proveïdor IPA." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 +#: sssd-sudo.5.xml:99 #, no-wrap msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" -"[domini/exemple.com]\n" -"id_provider = ipa\n" -"ipa_server = servidoripa.exemple.com\n" -"ipa_hostname = elmeuanfitrio.exemple.com\n" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "Proveïdor d'Active Directory de l'SSSD" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXEMPLE\n" +"\n" +"[domain/EXEMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://exemple.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=exemple,dc=com\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#: sssd-sudo.5.xml:98 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sssd-sudo.5.xml:118 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 -msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sssd-sudo.5.xml:130 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#: sssd-sudo.5.xml:138 msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#: sssd-sudo.5.xml:144 msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#: sssd-sudo.5.xml:152 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#: sssd-sudo.5.xml:161 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap -msgid "" -"ldap_id_mapping = False\n" -" " -msgstr "" -"ldap_id_mapping = False\n" -" " +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "paraula clau ALL" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "comodí" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (cadena)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" msgstr "" +"dimoni dels serveis de seguretat del sistema (System Security Services " +"Daemon)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" +"L'<command>SSSD</command> proporciona un conjunt de dimonis per gestionar " +"l'accés als directoris remots i els mecanismes d'autenticació. Proporciona " +"una interfície NSS i PAM cap al sistema i un sistema d'accés a la capa de " +"dades amb connectors per connectar a orígens múltiples de comptes diferents, " +"com ara la interfície D-Bus. També és la base per proporcionar l'auditoria " +"dels clients i les polítiques dels serveis per a projectes com FreeIPA. " +"Proporciona una base de dades més robusta on emmagatzemar els usuaris " +"locals, així com dades addicionals de l'usuari." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVELL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis>: Afegeix una marca temporal als registres de depuració" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 -msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" +"<emphasis>0</emphasis>: Inhabilita la marca temporal als registres de " +"depuració" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" +"<emphasis>1</emphasis>: Afegeix els mil·lisegons a les marques temporals als " +"missatges de depuració" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 -msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" +"<emphasis>0</emphasis>: Inhabilita els mil·lisegons a les marques temporals" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" +"Envia la sortida de depuració als fitxers en comptes de l'stderr. Per " +"defecte, els fitxers dels registres s'emmagatzemen a <filename>/var/log/" +"sssd</filename> i hi ha fitxers dels registres que se separen per a cadascun " +"dels serveis i dels dominis de l'SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "ad_enable_dns_sites (booleà)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" -msgstr "ad_access_filter (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Esdevé un dimoni després de la posada en marxa." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Executa en primer pla, no esdevinguis un dimoni." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Especifica un fitxer de configuració diferent al predeterminat. Per defecte " +"és <filename>/etc/sssd/sssd.conf</filename>. Per consultar la sintaxi del " +"fitxer de configuració i les opcions, aneu a la pàgina del manual del " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 -msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" -msgstr "ad_site (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" -msgstr "ad_enable_gc (booleà)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 -msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "Imprimeix el número de la versió i surt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Senyals" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" +"Informa l'SSSD per finalitzar elegantment tots els seus processos fills i " +"després atura el monitor." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "ad_gpo_access_control (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" +"Diu a l'SSSD que deixi d'escriure als actuals descriptors de fitxers de " +"depuració i que els tanqui i els reobri. Això intenta facilitar la rotació " +"dels registres amb programes com logrotate." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" +"Diu a l'SSSD que simuli l'operació sense connexió pel període del paràmetre " +"<quote>offline_timeout</quote>. Això és útil per fer proves. El senyal es " +"pot enviar directament al procés sssd o sssd_be." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" +"Diu a l'SSSD que es desconnecti immediatament. Això és útil per fer proves. " +"El senyal es pot enviar directament al procés sssd o sssd_be." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +#| "applications will not use the fast in memory cache." msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" +"Si la variable d'entorn SSS_NSS_USE_MEMCACHE està establerta a \"NO\", les " +"aplicacions clients no utilitzaran el fast en la memòria cau." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "ofusca una contrasenya en text clar" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" +"<command>sss_obfuscate</command> converteix una contrasenya especificada a " +"un format illegible per als humans i la posa a la secció del domini adequat " +"del fitxer de configuració de l'SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" +"La contrasenya en text clar es llegeix de l'entrada estàndard o s'introdueix " +"de forma interactiva. La contrasenya ofuscada es fica al paràmetre " +"<quote>ldap_default_authtok</quote> del domini SSSD indicat, i el paràmetre " +"<quote>ldap_default_authtok_type</quote> s'estableix a " +"<quote>obfuscated_password</quote>. Consulteu <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> per a més detalls sobre aquests paràmetres." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" +"Tingueu en compte que ofuscar les contrasenyes <emphasis>no proporciona cap " +"benefici real de seguretat</emphasis>, ja que un atacant encara podria " +"extreure la contrasenya amb enginyeria inversa. Es recomana " +"<emphasis>aferrissadament</emphasis> l'ús de mecanismes d'autenticació " +"millors com els certificats al cantó del client o el GSSAPI." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" -msgstr "Per defecte: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" -msgstr "Per defecte: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "La contrasenya per ofuscar es llegirà de l'entrada estàndard." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMINI</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" +"El domini SSSD on s'utilitza la contrasenya. El nom per defecte és " +"<quote>default</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FITXER</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 -msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" +"Llegeix el fitxer de configuració que s'especifica amb el paràmetre " +"posicional." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" -msgstr "ad_gpo_cache_timeout (enter)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Per defecte: <filename>/etc/sssd/sssd.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" -msgstr "ad_gpo_map_interactive (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" -msgstr "gdm-fingerprint" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" -msgstr "ad_gpo_map_remote_interactive (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" -msgstr "sshd" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" -msgstr "ad_gpo_map_network (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" -msgstr "ftp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "samba" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" -msgstr "ad_gpo_map_batch (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" -msgstr "crond" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" -msgstr "ad_gpo_map_service (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -"ad_gpo_map_service = +my_pam_service\n" -" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" -msgstr "ad_gpo_map_permit (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" -msgstr "systemd-user" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" -msgstr "ad_gpo_map_deny (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -"ad_gpo_map_deny = +my_pam_service\n" -" " - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" -msgstr "ad_gpo_default_right (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "crea un nou usuari" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>OPCIONS</" +"replaceable></arg> <arg choice='plain'> <replaceable>USUARI</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" +"<command>sss_useradd</command> crea un nou compte d'usuari amb els valors " +"que s'especifiquen en la línia d'ordres més els valors per defecte del " +"sistema." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"Estableix l'UID de l'usuari al valor de l'<replaceable>UID</replaceable>. Si " +"no se'n proporciona cap, es tria automàticament." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENTARI</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" +"Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza " +"com a camp per al nom complet de l'usuari." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>DIRECTORI_INICIAL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 -msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" +"El directori inicial del compte de l'usuari. Per defecte s'afegeix " +"l'<replaceable>USUARI</replaceable> a <filename>/home</filename> i " +"s'utilitza aquest com el directori inicial. La base que s'afegeix abans de " +"l'<replaceable>USUARI</replaceable> es pot personalitzar amb l'ajust " +"<quote>user_defaults/baseDirectory</quote> a l'sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" +"El shell d'inici de sessió de l'usuari. Per defecte és <filename>/bin/bash</" +"filename>. Es pot canviar el valor per defecte amb l'ajust " +"<quote>user_defaults/defaultShell</quote> de l'sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" -msgstr "Per defecte: 3600 (segons)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPS</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "Una llista dels grups existents que aquest usuari també n'és membre." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" +"Crea el directori inicial de l'usuari si no existeix. Al directori inicial " +"es copiaran els fitxers i els directoris continguts al directori esquemàtic " +"(que es pot definir amb l'opció -k o al fitxer de configuració)." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Per defecte: True" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" +"No crea el directori inicial de l'usuari. Substitueix els ajusts de la " +"configuració." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -"[domain/EXEMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.exemple.com\n" -"ad_hostname = client.exemple.com\n" -"ad_domain = exemple.com\n" +"<option>-k</option>,<option>--skel</option> " +"<replaceable>DIRECTORI_ESQUEMÀTIC</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"El directori esquemàtic que conté els fitxers i els directoris per copiar al " +"directori inicial de l'usuari, quan es crea el directori inicial amb " +"<command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" +"No es copiaran els fitxers especials (dispositius de blocs, dispositius de " +"caràcters, canonades amb noms i sòcols d'UNIX)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"Aquesta opció tan sols és vàlida si s'especifica l'opció <option>-m</option> " +"(o <option>--create-home</option>), o bé la creació dels directoris inicials " +"està establerta a TRUE a la configuració." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" +"L'usuari de SELinux per a l'inici de sessió de l'usuari. Si no s'especifica, " +"s'utilitzarà el predeterminat del sistema." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#: sssd-krb5.5.xml:23 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#: sssd-krb5.5.xml:36 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#: sssd-krb5.5.xml:47 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" - #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#: sssd-krb5.5.xml:55 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXEMPLE\n" -"\n" -"[domain/EXEMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://exemple.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=exemple,dc=com\n" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 -msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Per defecte: Utilitza el KDC" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Per defecte: /tmp" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 -msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 -msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "nom d'usuari" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "paraula clau ALL" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "comodí" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "UID de l'usuari" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nom real" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "directori inicial" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 -msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -"dimoni dels serveis de seguretat del sistema (System Security Services " -"Daemon)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -"L'<command>SSSD</command> proporciona un conjunt de dimonis per gestionar " -"l'accés als directoris remots i els mecanismes d'autenticació. Proporciona " -"una interfície NSS i PAM cap al sistema i un sistema d'accés a la capa de " -"dades amb connectors per connectar a orígens múltiples de comptes diferents, " -"com ara la interfície D-Bus. També és la base per proporcionar l'auditoria " -"dels clients i les polítiques dels serveis per a projectes com FreeIPA. " -"Proporciona una base de dades més robusta on emmagatzemar els usuaris " -"locals, així com dades addicionals de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVELL</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -"<emphasis>1</emphasis>: Afegeix una marca temporal als registres de depuració" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" -msgstr "" -"<emphasis>0</emphasis>: Inhabilita la marca temporal als registres de " -"depuració" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Per defecte: (del libkrb5)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (enter)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" -msgstr "" -"<emphasis>1</emphasis>: Afegeix els mil·lisegons a les marques temporals als " -"missatges de depuració" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -"<emphasis>0</emphasis>: Inhabilita els mil·lisegons a les marques temporals" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (booleà)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -"Envia la sortida de depuració als fitxers en comptes de l'stderr. Per " -"defecte, els fitxers dels registres s'emmagatzemen a <filename>/var/log/" -"sssd</filename> i hi ha fitxers dels registres que se separen per a cadascun " -"dels serveis i dels dominis de l'SSSD." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Per defecte: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 -msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (booleà)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "Esdevé un dimoni després de la posada en marxa." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> per segons" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "Executa en primer pla, no esdevinguis un dimoni." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> per minuts" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> per hores" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 -msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" -"Especifica un fitxer de configuració diferent al predeterminat. Per defecte " -"és <filename>/etc/sssd/sssd.conf</filename>. Per consultar la sintaxi del " -"fitxer de configuració i les opcions, aneu a la pàgina del manual del " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> per dies." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 -msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "Imprimeix el número de la versió i surt." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Senyals" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -"Informa l'SSSD per finalitzar elegantment tots els seus processos fills i " -"després atura el monitor." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -"Diu a l'SSSD que deixi d'escriure als actuals descriptors de fitxers de " -"depuració i que els tanqui i els reobri. Això intenta facilitar la rotació " -"dels registres amb programes com logrotate." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -"Diu a l'SSSD que simuli l'operació sense connexió pel període del paràmetre " -"<quote>offline_timeout</quote>. Això és útil per fer proves. El senyal es " -"pot enviar directament al procés sssd o sssd_be." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -"Diu a l'SSSD que es desconnecti immediatament. Això és útil per fer proves. " -"El senyal es pot enviar directament al procés sssd o sssd_be." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -"Si la variable d'entorn SSS_NSS_USE_MEMCACHE està establerta a \"NO\", les " -"aplicacions clients no utilitzaran el fast en la memòria cau." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "ofusca una contrasenya en text clar" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (cadena)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -"<command>sss_obfuscate</command> converteix una contrasenya especificada a " -"un format illegible per als humans i la posa a la secció del domini adequat " -"del fitxer de configuració de l'SSSD." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -"La contrasenya en text clar es llegeix de l'entrada estàndard o s'introdueix " -"de forma interactiva. La contrasenya ofuscada es fica al paràmetre " -"<quote>ldap_default_authtok</quote> del domini SSSD indicat, i el paràmetre " -"<quote>ldap_default_authtok_type</quote> s'estableix a " -"<quote>obfuscated_password</quote>. Consulteu <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> per a més detalls sobre aquests paràmetres." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -"Tingueu en compte que ofuscar les contrasenyes <emphasis>no proporciona cap " -"benefici real de seguretat</emphasis>, ja que un atacant encara podria " -"extreure la contrasenya amb enginyeria inversa. Es recomana " -"<emphasis>aferrissadament</emphasis> l'ús de mecanismes d'autenticació " -"millors com els certificats al cantó del client o el GSSAPI." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." -msgstr "La contrasenya per ofuscar es llegirà de l'entrada estàndard." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMINI</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -"El domini SSSD on s'utilitza la contrasenya. El nom per defecte és " -"<quote>default</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>FITXER</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -"Llegeix el fitxer de configuració que s'especifica amb el paràmetre " -"posicional." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "Per defecte: <filename>/etc/sssd/sssd.conf</filename>" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring Kerberos." msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" +"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu " +"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> per a més informació sobre configurar Kerberos." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 -msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXEMPLE.COM\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "crea un nou grup" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" +"<command>sss_groupadd</command> crea un nou grup. Aquests grups són " +"compatibles amb els grups POSIX, amb la característica addicional que poden " +"contenir altres grups com a membres." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#: sss_groupadd.8.xml:48 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"Estableix el GID del grup al valor del <replaceable>GID</replaceable>. Si no " +"se'n proporciona cap, es tria automàticament." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "suprimeix el compte d'un usuari" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>USUARI</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" +"<command>sss_userdel</command> suprimeix un usuari identificat amb el nom " +"d'usuari <replaceable>USUARI</replaceable> del sistema." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" +"Els fitxers al directori inicial de l'usuari seran eliminats juntament amb " +"el mateix directori inicial i la gestió de cues del correu de l'usuari. " +"Substitueix la configuració." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_userdel.8.xml:60 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 -msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" +"Els fitxers al directori inicial de l'usuari no seran eliminats juntament " +"amb el mateix directori inicial i la gestió de cues del correu de l'usuari. " +"Substitueix la configuració." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_userdel.8.xml:72 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" +"Aquesta opció obliga a <command>sss_userdel</command> a suprimir el " +"directori inicial i la gestió de cues del correu de l'usuari, encara que no " +"siguin de la propietat de l'usuari especificat." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 -msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" -msgstr "" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "Abans d'eliminar realment a l'usuari, acaba tots els seus processos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "suprimeix un grup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" +"<command>sss_groupdel</command> suprimeix un grup identificat amb el seu nom " +"de <replaceable>GRUP</replaceable> del sistema." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "imprimeix les propietats d'un grup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" +"<command>sss_groupshow</command> mostra la informació sobre un grup " +"identificat amb el seu nom de <replaceable>GRUP</replaceable>. La informació " +"inclou el número de l'id. del grup, els membres del grup i el grup primari." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "crea un nou usuari" +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "modifica el compte d'un usuari" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" "arg>" msgstr "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>OPCIONS</" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>OPCIONS</" "replaceable></arg> <arg choice='plain'> <replaceable>USUARI</replaceable></" "arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_usermod.8.xml:32 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"<command>sss_useradd</command> crea un nou compte d'usuari amb els valors " -"que s'especifiquen en la línia d'ordres més els valors per defecte del " -"sistema." +"<command>sss_usermod</command> modifica el compte especificat amb " +"<replaceable>USUARI</replaceable> per reflectir els canvis que " +"s'especifiquen a la línia d'ordres." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "El directori inicial del compte de l'usuari." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 -msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." -msgstr "" -"Estableix l'UID de l'usuari al valor de l'<replaceable>UID</replaceable>. Si " -"no se'n proporciona cap, es tria automàticament." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "El shell d'inici de sessió de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENTARI</" -"replaceable>" +"Annexa aquest usuari als grups que s'especifiquen amb el paràmetre dels " +"<replaceable>GRUPS</replaceable>. El paràmetre dels <replaceable>GRUPS</" +"replaceable> és una llista delimitada per comes dels noms dels grups." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sss_usermod.8.xml:96 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -"Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza " -"com a camp per al nom complet de l'usuari." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" -msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>DIRECTORI_INICIAL</" -"replaceable>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." -msgstr "" -"El directori inicial del compte de l'usuari. Per defecte s'afegeix " -"l'<replaceable>USUARI</replaceable> a <filename>/home</filename> i " -"s'utilitza aquest com el directori inicial. La base que s'afegeix abans de " -"l'<replaceable>USUARI</replaceable> es pot personalitzar amb l'ajust " -"<quote>user_defaults/baseDirectory</quote> a l'sssd.conf." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Bloqueja el compte de l'usuari. L'usuari no podrà iniciar la sessió." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." -msgstr "" -"El shell d'inici de sessió de l'usuari. Per defecte és <filename>/bin/bash</" -"filename>. Es pot canviar el valor per defecte amb l'ajust " -"<quote>user_defaults/defaultShell</quote> de l'sssd.conf." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Desbloqueja el compte de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "L'usuari de SELinux per a l'inici de sessió de l'usuari." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>GRUPS</" -"replaceable>" +"<option>--addattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "Una llista dels grups existents que aquest usuari també n'és membre." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Afegeix una parella atribut/valor. El format és nomatribut=valor." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--setattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#: sss_usermod.8.xml:152 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"Crea el directori inicial de l'usuari si no existeix. Al directori inicial " -"es copiaran els fitxers i els directoris continguts al directori esquemàtic " -"(que es pot definir amb l'opció -k o al fitxer de configuració)." +"Estableix un atribut a la parella nom/valor. El format és nomatribut=valor. " +"Per als atributs amb múltiples valors, l'ordre substitueix els valors ja " +"presents" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--delattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Elimina una parella atribut/valor. El format és nomatribut=valor." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "fa neteja de la memòria cau" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -"No crea el directori inicial de l'usuari. Substitueix els ajusts de la " -"configuració." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -"<option>-k</option>,<option>--skel</option> " -"<replaceable>DIRECTORI_ESQUEMÀTIC</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" -"El directori esquemàtic que conté els fitxers i els directoris per copiar al " -"directori inicial de l'usuari, quan es crea el directori inicial amb " -"<command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" -"No es copiaran els fitxers especials (dispositius de blocs, dispositius de " -"caràcters, canonades amb noms i sòcols d'UNIX)." +"<option>-u</option>,<option>--user</option> <replaceable>usuari</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 -msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." -msgstr "" -"Aquesta opció tan sols és vàlida si s'especifica l'opció <option>-m</option> " -"(o <option>--create-home</option>), o bé la creació dels directoris inicials " -"està establerta a TRUE a la configuració." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalida un usuari específic." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" +"Invalida tots els registres dels usuaris. Aquesta opció anul·la la " +"invalidació d'un usuari específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" -"L'usuari de SELinux per a l'inici de sessió de l'usuari. Si no s'especifica, " -"s'utilitzarà el predeterminat del sistema." +"<option>-g</option>,<option>--group</option> <replaceable>grup</replaceable>" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Invalida un grup específic." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" +"Invalida tots els registres dels grups. Aquesta opció anul·la la invalidació " +"d'un grup específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>grup-de-xarxa</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "invalida un grup de xarxa específic." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" +"Invalida tots els registres dels grups de xarxa. Aquesta opció anul·la la " +"invalidació d'un grup de xarxa específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>servei</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "invalida un servei específic." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" +"Invalida tots els registres dels serveis. Aquesta opció anul·la la " +"invalidació d'un servei específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>assignació-" +"autofs</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Per defecte: Utilitza el KDC" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalida una assignació autofs específica." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" +"Invalida tots els registres de les assignacions autofs. Aquesta opció " +"anul·la la invalidació d'una assignació autofs específica, si també es va " +"especificar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Per defecte: /tmp" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (cadena)" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "nom d'usuari" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "UID de l'usuari" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>nom-amfitrió</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "nom real" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "Invalida les claus públiques SSH d'un amfitrió especific." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "directori inicial" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "<option>-H</option>,<option>--ssh-hosts</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" +"Invalida tots els registres de les claus públiques SSH de tots els " +"amfitrions. Aquesta opció anul·la la invalidació d'una clau pública SSH d'un " +"amfitrió específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domini</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 -msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Restringeix el procés d'invalidació a tan sols un domini concret." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>NOU_NIVELL_DE_DEPURACIÓ</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" -msgstr "Per defecte: (del libkrb5)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (enter)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "implanta la memòria cau de l'SSSD amb un usuari" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMINI</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USUARI</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> implanta la memòria cau de l'SSSD amb una " +"entrada d'un usuari i la contrasenya temporal. Si l'entrada d'un usuari ja " +"està present a la memòria cau de l'SSSD aleshores s'actualitza l'entrada amb " +"la contrasenya temporal." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMINI</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Proporciona el nom del domini en el qual l'usuari n'és membre. El domini " +"també s'utilitza per recuperar la informació de l'usuari. El domini ha " +"d'estar configurat a l'sssd.conf. S'ha de proporcionar l'opció del " +"<replaceable>DOMINI</replaceable>. La informació recuperada del domini " +"anul·la aquella que es proporcioni a les opcions." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"L'entrada del nom d'usuari a crear o modificar a la memòria cau. S'ha de " +"proporcionar l'opció de l'<replaceable>USUARI</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Estableix l'UID de l'usuari a <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Estableix el GID de l'usuari a <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"Establix el directori inicial de l'usuari a <replaceable>DIRECTORI_INICIAL</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Estableix el shell d'inici de sessió de l'usuari a <replaceable>SHELL</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Mode interactiu per a la introducció de la informació de l'usuari. Aquesta " +"opció només demanà la informació no proporcionada a les opcions o que no es " +"recuperi del domini." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>FITXER_CONTRASENYA</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Especifica el fitxer des d'on llegir la contrasenya de l'usuari. (si no " +"s'especifica, es demana per la contrasenya)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"La longitud de la contrasenya (o la mida del fitxer que s'especifica amb " +"l'opció -p o --password-file) ha de ser més petita o igual que PASS_MAX " +"bytes (64 bytes en els sistemes que no defineixen globalment el valor de " +"PASS_MAX)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "contestador de l'InfoPipe de l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"En aquesta pàgina del manual es descriu la configuració del contestador de " +"l'InfoPipe per a <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Per a una referència detallada de " +"la sintaxi, consulteu la secció <quote>FORMAT DEL FITXER</quote> de la " +"pàgina del manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" +"El contestador de l'InfoPipe proporciona una interfície D-Bus publica que es " +"pot accedir a través del bus del sistema. La interfície permet que l'usuari " +"consulti informació sobre els usuaris i els grups remots a través del bus " +"del sistema." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el contestador de " +"l'InfoPipe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Especifica una llista separada per comes dels valors dels UID o dels noms " +"d'usuaris que estan assignats per accedir al contestador de l'InfoPipe. Els " +"noms d'usuaris es resolen als UID en la preparació." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" +"Per defecte: 0 (únicament a l'usuari root se li permet l'accés al " +"contestador de l'InfoPipe)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" +"Tingueu en compte que encara que s'utilitzi l'UID 0 com a valor per defecte " +"se sobreescriurà amb aquesta opció. Si encara voleu permetre que l'usuari " +"root accedeixi al contestador de l'InfoPipe, el que seria el cas típic, " +"també cal afegir 0 a la llista dels UID permesos." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" +"Especifica una llista separada per comes dels atributs de la llista negra o " +"blanca." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "nom d'inici de sessió de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "id. de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "id. del grup primari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "informació de l'usuari, normalment el nom complet " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "shell de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" +"Per defecte, el contestador de l'InfoPipe únicament permet que se " +"sol·licitin el conjunt per defecte dels atributs POSIX. Aquest conjunt és el " +"mateix que es retorna amb <citerefentry> <refentrytitle>getpwnam</" +"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> i inclou: " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (booleà)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"Es poden afegir altres atributs a aquest conjunt amb <quote>+nom_atribut</" +"quote> o suprimir explícitament un atribut amb <quote>-nom_atribut</quote>. " +"Per exemple, per permetre <quote>telephoneNumber</quote> però denegar " +"<quote>loginShell</quote>, podríeu utilitzar la següent configuració: " +"<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" +"Per defecte: sense establir. Únicament es permet el conjunt per defecte dels " +"atributs POSIX." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Desenvolupador (2013-2014)</contrib> " +"</author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Desenvolupador (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "sss_rpcidmapd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "les directrius de configuració del complement sss per al rpc.idmapd" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "FITXER DE CONFIGURACIÓ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" +"El fitxer de configuració rpc.idmapd normalment es troba a <emphasis>/etc/" +"idmapd.conf</emphasis>. Vegeu <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> per més informació." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "AMPLIACIÓ DE LA CONFIGURACIÓ DE L'SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "Habilita el complement SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" +"En la secció <quote>[Translation]</quote>, modifiqueu o establiu l'atribut " +"<quote>Method</quote> per abastar <emphasis>sss</emphasis>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "Secció de configuració [sss]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" +"Per canviar el valor per defecte d'un dels atributs de configuració del " +"connector de l'<emphasis>sss</emphasis> que es llisten a continuació, " +"necessitareu crear-li una secció de configuració, anomenada <quote>[sss]</" +"quote>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "Atributs de configuració" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "memcache (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "Indica si s'utilitza o no la tècnica d'optimització de la memòria cau." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "INTEGRACIÓ DE L'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" +"El connector sss requereix que s'habiliti el <emphasis>contestador del NSS</" +"emphasis> al sssd." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" +"L'atribut <quote>use_fully_qualified_names</quote> ha d'estar habilitat en " +"tots els dominis (els clients de NFSv4 esperen un FQN per a ser enviats al " +"cable)." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" +"[General]\n" +"Verbosity = 2\n" +"# el domini ha de sincronitzar-se entre el servidor i els clients del NFSv4\n" +"# Solaris/Illumos/AIX utilitzen \"localdomain\" com a predeterminat!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"En el següent exemple es mostra un idmapd.conf mínim que fa ús del connector " +"sss. <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VEGEU TAMBÉ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "obté les claus autoritzades de l'OpenSSH" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>opcions</replaceable> </arg> <arg " +"choice='plain'><replaceable>USUARI</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Per defecte: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (booleà)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "<emphasis>s</emphasis> per segons" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "<emphasis>m</emphasis> per minuts" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "<emphasis>h</emphasis> per hores" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "<emphasis>d</emphasis> per dies." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 -msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" -msgstr "krb5_renew_interval (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "obté les claus de l'amfitrió de l'OpenSSH" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (cadena)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 -msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " -#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> for more information on configuring Kerberos." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." -msgstr "" -"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu " -"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> per a més informació sobre configurar Kerberos." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" -msgstr "krb5_use_enterprise_principal (booleà)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" -msgstr "krb5_map_user (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 -msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssctl.8.xml:32 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXEMPLE.COM\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "crea un nou grup" +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssd-files.5.xml:58 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"<command>sss_groupadd</command> crea un nou grup. Aquests grups són " -"compatibles amb els grups POSIX, amb la característica addicional que poden " -"contenir altres grups com a membres." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -"Estableix el GID del grup al valor del <replaceable>GID</replaceable>. Si no " -"se'n proporciona cap, es tria automàticament." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "suprimeix el compte d'un usuari" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg choice='plain'><replaceable>USUARI</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 -msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" -"<command>sss_userdel</command> suprimeix un usuari identificat amb el nom " -"d'usuari <replaceable>USUARI</replaceable> del sistema." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" -msgstr "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"Els fitxers al directori inicial de l'usuari seran eliminats juntament amb " -"el mateix directori inicial i la gestió de cues del correu de l'usuari. " -"Substitueix la configuració." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Els fitxers al directori inicial de l'usuari no seran eliminats juntament " -"amb el mateix directori inicial i la gestió de cues del correu de l'usuari. " -"Substitueix la configuració." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -"Aquesta opció obliga a <command>sss_userdel</command> a suprimir el " -"directori inicial i la gestió de cues del correu de l'usuari, encara que no " -"siguin de la propietat de l'usuari especificat." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" -msgstr "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 +msgid "" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "Abans d'eliminar realment a l'usuari, acaba tots els seus processos." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap +msgid "" +"passwd: sss files\n" +"group: sss files\n" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "suprimeix un grup" +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:36 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -"<command>sss_groupdel</command> suprimeix un grup identificat amb el seu nom " -"de <replaceable>GRUP</replaceable> del sistema." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" -msgstr "imprimeix les propietats d'un grup" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-secrets.5.xml:61 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<command>sss_groupshow</command> mostra la informació sobre un grup " -"identificat amb el seu nom de <replaceable>GRUP</replaceable>. La informació " -"inclou el número de l'id. del grup, els membres del grup i el grup primari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "modifica el compte d'un usuari" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>OPCIONS</" -"replaceable></arg> <arg choice='plain'> <replaceable>USUARI</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#: sssd-secrets.5.xml:95 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -"<command>sss_usermod</command> modifica el compte especificat amb " -"<replaceable>USUARI</replaceable> per reflectir els canvis que " -"s'especifiquen a la línia d'ordres." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "El directori inicial del compte de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "El shell d'inici de sessió de l'usuari." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -"Annexa aquest usuari als grups que s'especifiquen amb el paràmetre dels " -"<replaceable>GRUPS</replaceable>. El paràmetre dels <replaceable>GRUPS</" -"replaceable> és una llista delimitada per comes dels noms dels grups." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." -msgstr "Bloqueja el compte de l'usuari. L'usuari no podrà iniciar la sessió." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "Desbloqueja el compte de l'usuari." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." -msgstr "L'usuari de SELinux per a l'inici de sessió de l'usuari." +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -"<option>--addattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." -msgstr "Afegeix una parella atribut/valor. El format és nomatribut=valor." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -"<option>--setattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -"Estableix un atribut a la parella nom/valor. El format és nomatribut=valor. " -"Per als atributs amb múltiples valors, l'ordre substitueix els valors ja " -"presents" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -"<option>--delattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." -msgstr "Elimina una parella atribut/valor. El format és nomatribut=valor." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" -msgstr "sss_cache" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" -msgstr "fa neteja de la memòria cau" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" -msgstr "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -"<option>-u</option>,<option>--user</option> <replaceable>usuari</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "Invalida un usuari específic." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" -msgstr "<option>-U</option>,<option>--users</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 -msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" -"Invalida tots els registres dels usuaris. Aquesta opció anul·la la " -"invalidació d'un usuari específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -"<option>-g</option>,<option>--group</option> <replaceable>grup</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "Invalida un grup específic." +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:219 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" -"Invalida tots els registres dels grups. Aquesta opció anul·la la invalidació " -"d'un grup específic, si també es va especificar." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 -msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>grup-de-xarxa</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." -msgstr "invalida un grup de xarxa específic." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" -msgstr "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -"Invalida tots els registres dels grups de xarxa. Aquesta opció anul·la la " -"invalidació d'un grup de xarxa específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<option>-s</option>,<option>--service</option> <replaceable>servei</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "invalida un servei específic." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" -msgstr "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:260 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -"Invalida tots els registres dels serveis. Aquesta opció anul·la la " -"invalidació d'un servei específic, si també es va especificar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 -msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>assignació-" -"autofs</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." -msgstr "Invalida una assignació autofs específica." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" -msgstr "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:278 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -"Invalida tots els registres de les assignacions autofs. Aquesta opció " -"anul·la la invalidació d'una assignació autofs específica, si també es va " -"especificar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 -msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>nom-amfitrió</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." -msgstr "Invalida les claus públiques SSH d'un amfitrió especific." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" -msgstr "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -"Invalida tots els registres de les claus públiques SSH de tots els " -"amfitrions. Aquesta opció anul·la la invalidació d'una clau pública SSH d'un " -"amfitrió específic, si també es va especificar." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#: sssd-secrets.5.xml:323 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>domini</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." -msgstr "Restringeix el procés d'invalidació a tan sols un domini concret." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" -msgstr "sss_debuglevel" +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg " -"choice='plain'><replaceable>NOU_NIVELL_DE_DEPURACIÓ</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 -msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "sss_seed" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" -msgstr "implanta la memòria cau de l'SSSD amb un usuari" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>opcions</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMINI</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USUARI</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -"<command>sss_seed</command> implanta la memòria cau de l'SSSD amb una " -"entrada d'un usuari i la contrasenya temporal. Si l'entrada d'un usuari ja " -"està present a la memòria cau de l'SSSD aleshores s'actualitza l'entrada amb " -"la contrasenya temporal." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 -msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMINI</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#: sssd-secrets.5.xml:398 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -"Proporciona el nom del domini en el qual l'usuari n'és membre. El domini " -"també s'utilitza per recuperar la informació de l'usuari. El domini ha " -"d'estar configurat a l'sssd.conf. S'ha de proporcionar l'opció del " -"<replaceable>DOMINI</replaceable>. La informació recuperada del domini " -"anul·la aquella que es proporcioni a les opcions." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -"L'entrada del nom d'usuari a crear o modificar a la memòria cau. S'ha de " -"proporcionar l'opció de l'<replaceable>USUARI</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "Estableix l'UID de l'usuari a <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "Estableix el GID de l'usuari a <replaceable>GID</replaceable>." +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -"Establix el directori inicial de l'usuari a <replaceable>DIRECTORI_INICIAL</" -"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" -"Estableix el shell d'inici de sessió de l'usuari a <replaceable>SHELL</" -"replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#: sssd-secrets.5.xml:461 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -"Mode interactiu per a la introducció de la informació de l'usuari. Aquesta " -"opció només demanà la informació no proporcionada a les opcions o que no es " -"recuperi del domini." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -"<option>-p</option>,<option>--password-file</option> " -"<replaceable>FITXER_CONTRASENYA</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" -"Especifica el fitxer des d'on llegir la contrasenya de l'usuari. (si no " -"s'especifica, es demana per la contrasenya)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -"La longitud de la contrasenya (o la mida del fitxer que s'especifica amb " -"l'opció -p o --password-file) ha de ser més petita o igual que PASS_MAX " -"bytes (64 bytes en els sistemes que no defineixen globalment el valor de " -"PASS_MAX)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" -msgstr "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" -msgstr "contestador de l'InfoPipe de l'SSSD" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -"En aquesta pàgina del manual es descriu la configuració del contestador de " -"l'InfoPipe per a <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Per a una referència detallada de " -"la sintaxi, consulteu la secció <quote>FORMAT DEL FITXER</quote> de la " -"pàgina del manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -"El contestador de l'InfoPipe proporciona una interfície D-Bus publica que es " -"pot accedir a través del bus del sistema. La interfície permet que l'usuari " -"consulti informació sobre els usuaris i els grups remots a través del bus " -"del sistema." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" -"Es poden utilitzar aquestes opcions per configurar el contestador de " -"l'InfoPipe." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#: sssd-secrets.5.xml:496 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" -"Especifica una llista separada per comes dels valors dels UID o dels noms " -"d'usuaris que estan assignats per accedir al contestador de l'InfoPipe. Els " -"noms d'usuaris es resolen als UID en la preparació." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#: sssd-secrets.5.xml:519 msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -"Per defecte: 0 (únicament a l'usuari root se li permet l'accés al " -"contestador de l'InfoPipe)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" -"Tingueu en compte que encara que s'utilitzi l'UID 0 com a valor per defecte " -"se sobreescriurà amb aquesta opció. Si encara voleu permetre que l'usuari " -"root accedeixi al contestador de l'InfoPipe, el que seria el cas típic, " -"també cal afegir 0 a la llista dels UID permesos." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -"Especifica una llista separada per comes dels atributs de la llista negra o " -"blanca." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" -msgstr "name" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" -msgstr "nom d'inici de sessió de l'usuari" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" -msgstr "uidNumber" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" -msgstr "id. de l'usuari" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" -msgstr "gidNumber" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" -msgstr "id. del grup primari" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" -msgstr "gecos" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" -msgstr "informació de l'usuari, normalment el nom complet " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" -msgstr "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" -msgstr "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "shell de l'usuari" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#: sssd-secrets.5.xml:547 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -"Per defecte, el contestador de l'InfoPipe únicament permet que se " -"sol·licitin el conjunt per defecte dels atributs POSIX. Aquest conjunt és el " -"mateix que es retorna amb <citerefentry> <refentrytitle>getpwnam</" -"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> i inclou: " -"<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 +#: sssd-secrets.5.xml:553 #, no-wrap msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" " " msgstr "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-secrets.5.xml:551 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -"Es poden afegir altres atributs a aquest conjunt amb <quote>+nom_atribut</" -"quote> o suprimir explícitament un atribut amb <quote>-nom_atribut</quote>. " -"Per exemple, per permetre <quote>telephoneNumber</quote> però denegar " -"<quote>loginShell</quote>, podríeu utilitzar la següent configuració: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -"Per defecte: sense establir. Únicament es permet el conjunt per defecte dels " -"atributs POSIX." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Desenvolupador (2013-2014)</contrib> " -"</author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Desenvolupador (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" -msgstr "sss_rpcidmapd" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "les directrius de configuració del complement sss per al rpc.idmapd" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" -msgstr "FITXER DE CONFIGURACIÓ" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-session-recording.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"El fitxer de configuració rpc.idmapd normalment es troba a <emphasis>/etc/" -"idmapd.conf</emphasis>. Vegeu <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> per més informació." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" -msgstr "AMPLIACIÓ DE LA CONFIGURACIÓ DE L'SSS" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" -msgstr "Habilita el complement SSS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -"En la secció <quote>[Translation]</quote>, modifiqueu o establiu l'atribut " -"<quote>Method</quote> per abastar <emphasis>sss</emphasis>." - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" -msgstr "Secció de configuració [sss]" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -"Per canviar el valor per defecte d'un dels atributs de configuració del " -"connector de l'<emphasis>sss</emphasis> que es llisten a continuació, " -"necessitareu crear-li una secció de configuració, anomenada <quote>[sss]</" -"quote>." - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" -msgstr "Atributs de configuració" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" -msgstr "memcache (booleà)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." -msgstr "Indica si s'utilitza o no la tècnica d'optimització de la memòria cau." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" -msgstr "INTEGRACIÓ DE L'SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -"El connector sss requereix que s'habiliti el <emphasis>contestador del NSS</" -"emphasis> al sssd." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#: sssd-session-recording.5.xml:146 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -"L'atribut <quote>use_fully_qualified_names</quote> ha d'estar habilitat en " -"tots els dominis (els clients de NFSv4 esperen un FQN per a ser enviats al " -"cable)." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#: sssd-session-recording.5.xml:151 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -"[General]\n" -"Verbosity = 2\n" -"# el domini ha de sincronitzar-se entre el servidor i els clients del NFSv4\n" -"# Solaris/Illumos/AIX utilitzen \"localdomain\" com a predeterminat!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#: sssd-kcm.8.xml:23 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -"En el següent exemple es mostra un idmapd.conf mínim que fa ús del connector " -"sss. <placeholder type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "VEGEU TAMBÉ" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#: sssd-kcm.8.xml:31 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" -msgstr "1" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" -msgstr "obté les claus autoritzades de l'OpenSSH" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>opcions</replaceable> </arg> <arg " -"choice='plain'><replaceable>USUARI</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#: sssd-kcm.8.xml:67 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#: sssd-kcm.8.xml:84 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#: sssd-kcm.8.xml:76 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 +msgid "" +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#: sssd-kcm.8.xml:164 msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "sss_ssh_knownhostsproxy" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "obté les claus de l'amfitrió de l'OpenSSH" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of the IPA provider for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " +#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page." msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"En aquesta pàgina del manual es descriu la configuració del proveïdor IPA " +"per a <citerefentry><refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry>. Per una referència detallada sintaxi, aneu a la " +"secció de <quote>FORMAT DE FITXER</quote> de la pàgina del manual " +"<citerefentry>d'<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#: sssd-kcm.8.xml:183 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "min_id,max_id (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "min_id, max_id (enter)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#: sssd-kcm.8.xml:220 msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." -msgstr "" +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Per defecte: 6" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_page_size (enter)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 +msgid "" +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Per defecte: 6" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#: sssd-systemtap.5.xml:23 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, fuzzy, no-wrap +#| msgid "" +#| "user_attributes = +telephoneNumber, -loginShell\n" +#| " " msgid "" -"[domain/files]\n" -"id_provider = files\n" +"attr:string\n" +"value:string\n" +" " msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"passwd: sss files\n" -"group: sss files\n" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 -msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 -msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 -msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 -msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#: sssd-systemtap.5.xml:412 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (cadena)" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +#, fuzzy +#| msgid "SSSD LDAP provider" +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "Proveïdor de LDAP de l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" +"En aquesta pàgina del manual es descriu la configuració de dominis LDAP per " +"a <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Consulteu la secció <quote>FORMAT DE FITXER</" +"quote> de la pàgina del manual <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> per obtenir " +"informació detallada de la sintaxi." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "La classe d'objecte d'una entrada d'usuari a LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Per defecte: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "L'atribut LDAP que correspon al nom de compte de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 -msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" +"L'atribut LDAP que correspon al númerdo de l'identificador de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "Per defecte: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" +"L'atribut LDAP que correspon a l'identificador del grup primari de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "Per defecte: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "L'atribut LDAP que correspon al camp gecos de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "Per defecte: gecos" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "L'atribut LDAP que conté el nom del directori inicial de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "L'atribut LDAP que conté el camí al shell per defecte de l'usuari." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Per defecte: loginShell" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" +"L'atribut LDAP que conté la data i hora de l'última modificació de l'objecte " +"pare." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Per defecte: modifyTimestamp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (data de l'últim canvi de contrasenya)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Per defecte: shadowLastChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (edat mínima de la contrasenya)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Per defecte: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (edat màxima de la contrasenya)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Per defecte: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (període d'advertència de contrasenya)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Per defecte: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (període d'inactivitat de contrasenya)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Per defecte: shadowInactive" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" +"En utilitzar ldap_pwd_policy=shadow o ldap_account_expire_policy=shadow, " +"aquest paràmetre conté el nom d'un atribut d'LDAP corresponent al seu " +"homòleg <citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (data de caducitat del compte)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Per defecte: shadowExpire" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" +"En utilitzar ldap_pwd_policy=mit_kerberos, aquest paràmetre conté el nom " +"d'un atribut d'LDAP que emmagatzema la data i hora del darrer canvi de " +"contrasenya en kerberos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Per defecte: krbLastPwdChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" +"En utilitzar ldap_pwd_policy=mit_kerberos, aquest paràmetre conté el nom " +"d'un atribut d'LDAP que emmagatzema la data i hora d'expiració de la " +"contrasenya actual." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 -msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Per defecte: krbPasswordExpiration" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap -msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "Per defecte: accountExpires" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 -msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "Per defecte: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "Per defecte: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "Per defecte: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" +"L'atribut LDAP que conté el Nom Principal d'Usuari (UPN) de l'usuari de " +"Kerberos." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Per defecte: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" +msgstr "Per defecte: sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "L'atribut LDAP que correspon al nom complet de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "L'atribut LDAP que llista la pertanença a grups de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "Per defecte: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" +"Si access_provider=ldap i ldap_access_order=authorized_service, l'SSSD farà " +"servir la presència de l'atribut authorizedService a l'entrada LDAP de " +"l'usuari per determinar els privilegis d'accés." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" +"Una denegació explícita (!svc) es resol en primer lloc. En segon lloc, " +"l'SSSD cerca autoritzacions explícites (svc) i, finalment, allow_all (*)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 +msgid "" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "Per defecte: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 -msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "La classe d'objecte d'una entrada de grup a LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Per defecte: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "L'atribut LDAP que es correspon amb el nom del grup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "L'atribut LDAP que correspon a l'identificador del grup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "L'atribut LDAP que conté els noms dels membres del grup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Per defecte: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +#, fuzzy +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"systemctl restart sssd-kcm.service\n" -" " +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -#, fuzzy -#| msgid "" -#| "This manual page describes the configuration of the IPA provider for " -#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " -#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " -#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -"En aquesta pàgina del manual es descriu la configuració del proveïdor IPA " -"per a <citerefentry><refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry>. Per una referència detallada sintaxi, aneu a la " -"secció de <quote>FORMAT DE FITXER</quote> de la pàgina del manual " -"<citerefentry>d'<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "La classe d'objecte d'una entrada de netgroup a LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "Per defecte: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "L'atribut LDAP que es correspon amb el nom del netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (enter)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "L'atribut LDAP que conté els noms dels membres del netgroup." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "Per defecte: memberNisNetgroup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id, max_id (enter)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" +"L'atribut LDAP que conté les tripletes netgroup (maquina, usuari, domini)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Per defecte: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (enter)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Per defecte: nisNetgroupTriple" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 -msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Per defecte: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "Per defecte: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap -msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "SECCIONS DELS SERVEIS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "Per defecte: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "Per defecte: ipServiceProtocol" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "Per defecte: sudoRole" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "Per defecte: sudoCommand" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "Per defecte: sudoHost" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "Per defecte: sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "Per defecte: sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "Per defecte: sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "Per defecte: sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "Per defecte: sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "Per defecte: sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "Per defecte: sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "OPCIONS D'AUTOFS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (cadena)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> @@ -17639,3 +18008,6 @@ msgstr "" #~ msgid "Default: homeDirectory" #~ msgstr "Per defecte: homeDirectory" + +#~ msgid "ldap_group_type (integer)" +#~ msgstr "ldap_group_type (enter)" diff --git a/src/man/po/cs.po b/src/man/po/cs.po index e3cfe0b6d69..4642fe99e5c 100644 --- a/src/man/po/cs.po +++ b/src/man/po/cs.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2019-06-21 02:15+0000\n" "Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n" "Language-Team: Czech (http://www.transifex.com/projects/p/sssd/language/" @@ -33,7 +33,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Manuálové stránky SSSD" @@ -76,7 +76,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "POPIS" @@ -136,7 +136,7 @@ msgstr "" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -145,7 +145,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -296,12 +296,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -318,19 +318,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -353,8 +357,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -369,7 +373,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -417,19 +421,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "" @@ -449,7 +453,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -469,12 +473,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -482,39 +486,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -529,20 +533,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -550,52 +565,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -608,17 +623,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -628,7 +643,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -641,23 +656,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -667,7 +682,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -676,22 +691,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -699,69 +714,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 200000" msgid "Default: sha256" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -769,19 +803,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -789,24 +823,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -815,7 +849,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -823,8 +857,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -832,68 +880,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -904,7 +952,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -921,7 +969,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -938,12 +986,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -952,22 +1000,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -977,17 +1025,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -997,18 +1045,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1016,24 +1064,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1041,12 +1089,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1058,58 +1106,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1117,7 +1165,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1127,7 +1175,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1136,17 +1184,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1154,17 +1202,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1172,17 +1220,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1191,7 +1239,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1200,41 +1248,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1242,23 +1290,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1266,47 +1314,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1314,112 +1362,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1430,96 +1478,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1527,59 +1575,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1588,61 +1636,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1650,7 +1698,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1659,17 +1707,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1677,31 +1725,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1711,75 +1759,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1787,19 +1835,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1807,12 +1855,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1820,77 +1868,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1898,7 +1946,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1910,63 +1958,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1974,12 +2022,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1990,7 +2038,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1998,7 +2046,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2006,7 +2054,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2015,12 +2063,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2031,24 +2079,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2058,22 +2106,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2081,51 +2129,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2134,24 +2182,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2162,7 +2237,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2173,24 +2248,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2198,12 +2273,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2212,24 +2287,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2239,66 +2314,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2306,17 +2381,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2324,7 +2399,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2332,22 +2407,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2356,14 +2431,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2372,38 +2447,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2412,24 +2487,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2438,29 +2513,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2474,14 +2549,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2490,39 +2565,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2531,19 +2606,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2554,115 +2629,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2671,42 +2746,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2714,24 +2789,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2740,17 +2815,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2759,34 +2834,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2794,7 +2869,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2802,8 +2877,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2812,8 +2887,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2821,19 +2896,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2842,7 +2917,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2850,22 +2925,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2877,7 +2952,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2885,19 +2960,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2905,7 +2980,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2913,35 +2988,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2949,19 +3024,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2970,7 +3045,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2978,29 +3053,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3008,7 +3083,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3016,35 +3091,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3052,32 +3127,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3088,7 +3163,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3097,12 +3172,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3110,7 +3185,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3118,31 +3193,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3150,7 +3225,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3159,17 +3234,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3177,43 +3252,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3221,7 +3296,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3229,7 +3304,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3237,24 +3312,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3262,12 +3337,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3277,7 +3352,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3287,29 +3362,29 @@ msgstr "" # auto translated by TM merge from project: Fedora Websites, version: fedorahosted.org, DocId: po/fedorahosted #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3317,7 +3392,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3327,59 +3402,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3388,77 +3463,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3466,7 +3541,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3475,17 +3550,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3493,34 +3568,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3528,32 +3603,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3563,34 +3638,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3599,19 +3674,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3619,24 +3694,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3645,24 +3720,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3672,14 +3747,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3687,21 +3762,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3709,7 +3784,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3718,7 +3793,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3727,7 +3802,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3735,29 +3810,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3765,12 +3840,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3779,12 +3854,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3792,19 +3867,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3821,7 +3896,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3829,17 +3904,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3848,7 +3923,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3858,7 +3933,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3878,12 +3953,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3891,73 +3966,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3965,17 +4040,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3984,17 +4059,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4002,17 +4077,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4020,17 +4095,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4041,69 +4116,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4116,7 +4191,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4124,7 +4199,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4133,55 +4208,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4190,17 +4265,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4208,26 +4283,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4236,17 +4311,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4256,7 +4331,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4265,59 +4340,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4325,14 +4400,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4340,7 +4415,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4348,12 +4423,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4383,7 +4458,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4392,7 +4467,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4400,7 +4475,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4411,7 +4486,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4425,7 +4500,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4481,12 +4556,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4496,33 +4571,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4531,71 +4606,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4604,7 +4679,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4615,12 +4690,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4628,32 +4703,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4664,37 +4739,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4703,10749 +4778,10995 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" # auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "heslo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1559 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1577 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 -msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 -msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 -msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 -msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Pokud jsou všechny seznamy prázdné, přístup je udělen" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (řetězec)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (řetězec)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "sss-certmap" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "Příklad: <SUBJECT>.*,DC=MOJE,DC=DOMENA" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 -msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "digitalSignature" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 -msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "nonRepudiation" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "dataEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "keyAgreement" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "keyCertSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "cRLSign" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "encipherOnly" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "decipherOnly" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "serverAuth" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "clientAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "codeSigning" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "emailProtection" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "timeStamping" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "OCSPSigning" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "KPClientAuth" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "pkinit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "msScLogin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 -msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "{cert[!(bin|base64)]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "Příklad: (userCertificate;binary={cert!bin})" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "{subject_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" +"Příklad: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "{subject_nt_principal[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "{subject_rfc822_name[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" +"Příklad: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "{subject_dns_name[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" +"Příklad: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "{subject_uri}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "Příklad: (uri={subject_uri})" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 -msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 -msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#: sssd-ipa.5.xml:23 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#: sssd-ipa.5.xml:62 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 -msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 -msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 -msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 -msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 -msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Pokud jsou všechny seznamy prázdné, přístup je udělen" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (řetězec)" +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:479 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (řetězec)" +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:495 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (řetězec)" +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#: sssd-ipa.5.xml:509 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (řetězec)" +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#: sssd-ipa.5.xml:525 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" -msgstr "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 -msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 -msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 -msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 -msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 -msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 -msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" -msgstr "Příklad: <SUBJECT>.*,DC=MOJE,DC=DOMENA" - #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#: sssd-ipa.5.xml:643 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#: sssd-ipa.5.xml:656 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" -msgstr "digitalSignature" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" -msgstr "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" -msgstr "keyEncipherment" +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" -msgstr "dataEncipherment" +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" -msgstr "keyAgreement" +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" -msgstr "keyCertSign" +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" -msgstr "cRLSign" +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" -msgstr "encipherOnly" +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" -msgstr "decipherOnly" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#: sssd-ipa.5.xml:696 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" -msgstr "serverAuth" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" -msgstr "codeSigning" +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" -msgstr "emailProtection" +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" -msgstr "timeStamping" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" -msgstr "OCSPSigning" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" -msgstr "KPClientAuth" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" -msgstr "pkinit" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" -msgstr "msScLogin" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 -msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 -msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 -msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 -msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" -msgstr "{cert[!(bin|base64)]}" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" -msgstr "Příklad: (userCertificate;binary={cert!bin})" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" -msgstr "{subject_principal[.short_name]}" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -"Příklad: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" -msgstr "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" -msgstr "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -"Příklad: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" -msgstr "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -"Příklad: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" -msgstr "{subject_uri}" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" -msgstr "Příklad: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 +msgid "" +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 -msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 -msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:495 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:515 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:531 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:549 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:554 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 -msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:638 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:657 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:663 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:697 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:715 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:721 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 -msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:790 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:808 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:826 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:852 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:857 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:901 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:927 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:989 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:1004 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:1022 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:1068 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:1081 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 -msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 -msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 -msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap -msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 -msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 -msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sss_obfuscate.8.xml:32 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#: sss_obfuscate.8.xml:37 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sss_obfuscate.8.xml:49 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"The SSSD domain to use the password in. The default name is <quote>default</" "quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"ldap_id_mapping = False\n" -" " +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 -msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 -msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 -msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 -msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 -msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 -msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#: sssd-krb5.5.xml:77 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#: sssd-krb5.5.xml:106 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:116 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:122 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:138 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 -msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:243 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:275 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:288 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#: sssd-krb5.5.xml:309 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 -msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 -msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap -msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 -msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sssd-krb5.5.xml:65 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#: sss_groupadd.8.xml:48 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 -msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#: sss_userdel.8.xml:48 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 -msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "vymazat skupinu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" +"replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" +"<command>sss_groupdel</command> odstraní ze systému skupinu určenou jejím " +"jménem<replaceable>SKUPINA</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 -msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#: sss_groupshow.8.xml:47 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 -msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 -msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_usermod.8.xml:152 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#: sss_cache.8.xml:31 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:53 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:68 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:75 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:112 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:134 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:141 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_cache.8.xml:156 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_cache.8.xml:163 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_cache.8.xml:201 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_seed.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_seed.8.xml:33 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +#: sss_seed.8.xml:46 msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sss_seed.8.xml:51 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#: sss_seed.8.xml:63 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sss_seed.8.xml:68 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#: sss_seed.8.xml:117 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sss_seed.8.xml:140 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#: sss_seed.8.xml:148 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 -msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +#: sss_seed.8.xml:153 msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#: sssd-ifp.5.xml:23 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sssd-ifp.5.xml:36 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 -msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 -msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 -msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 -msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VIZ TAKÉ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 -msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 -msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: idmap_sss.8.xml:45 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: idmap_sss.8.xml:62 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#: sssctl.8.xml:21 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#: sssctl.8.xml:32 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-files.5.xml:36 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 +msgid "" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "vymazat skupinu" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" -"replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 -msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -"<command>sss_groupdel</command> odstraní ze systému skupinu určenou jejím " -"jménem<replaceable>SKUPINA</replaceable>." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"[domain/files]\n" +"id_provider = files\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-files.5.xml:143 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"passwd: sss files\n" +"group: sss files\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#: sssd-secrets.5.xml:36 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 -msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:219 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 -msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:260 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:278 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 -msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 -msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#: sssd-secrets.5.xml:323 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#: sssd-secrets.5.xml:335 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 -msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 -msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 -msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 -msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#: sssd-secrets.5.xml:461 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#: sssd-secrets.5.xml:496 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#: sssd-secrets.5.xml:519 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 #, no-wrap msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-session-recording.5.xml:41 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:67 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#: sssd-kcm.8.xml:76 msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#: sssd-kcm.8.xml:89 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#: sssd-kcm.8.xml:111 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#: sssd-kcm.8.xml:100 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "VIZ TAKÉ" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#: sssd-kcm.8.xml:122 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#: sssd-kcm.8.xml:155 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#: sssd-kcm.8.xml:164 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#: sssd-kcm.8.xml:183 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "ldap_idmap_range_size (integer)" +msgid "max_ccaches (integer)" +msgstr "ldap_idmap_range_size (celé číslo)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "ldap_idmap_range_size (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "ldap_idmap_range_size (celé číslo)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 200000" +msgid "Default: 64" +msgstr "Výchozí: 200000" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_idmap_range_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_idmap_range_size (celé číslo)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 200000" +msgid "Default: 65536" +msgstr "Výchozí: 200000" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "vyzkoušet sssd_transaction_commit_after" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "Vyzkouší funkci sysdb_transaction_commit_after()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "vyzkouší sdap_search_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "Vyzkouší funkci sdap_get_generic_ext_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +#, fuzzy +#| msgid "probe sdap_search_send" +msgid "probe sdap_parse_entry" +msgstr "vyzkouší sdap_search_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +#, fuzzy +#| msgid "probe dp_req_done" +msgid "probe sdap_parse_entry_done" +msgstr "probe dp_req_done" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 -msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 #, no-wrap msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 -msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" +msgstr "probe sdap_search_user_save_begin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "Zkouší funkci sdap_search_user_save_begin()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" +msgstr "vyzkoušet sdap_search_user_save_end" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "Vyzkouší funkci sdap_search_user_save_end()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" +msgstr "probe dp_req_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" +msgstr "probe dp_req_done" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "RŮZNÉ FUNKCE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" +msgstr "function acct_req_desc(entry_type)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" +"funkce sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" +msgstr "funkce dp_target_str(target)" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" +msgstr "funkce dp_method_str(target)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" +msgstr "Převést metodu na řetězec a vrátit řetězec" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-systemtap.5.xml:412 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +#, fuzzy +#| msgid "simple_deny_groups (string)" +msgid "ldap_group_type (string)" +msgstr "simple_deny_groups (řetězec)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "ldap_idmap_range_size (integer)" -msgid "max_ccaches (integer)" -msgstr "ldap_idmap_range_size (celé číslo)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "ldap_idmap_range_size (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "ldap_idmap_range_size (celé číslo)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 200000" -msgid "Default: 64" -msgstr "Výchozí: 200000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_idmap_range_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_idmap_range_size (celé číslo)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 200000" -msgid "Default: 65536" -msgstr "Výchozí: 200000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" -msgstr "vyzkoušet sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." -msgstr "Vyzkouší funkci sysdb_transaction_commit_after()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" -msgstr "vyzkouší sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." -msgstr "Vyzkouší funkci sdap_get_generic_ext_send()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap -msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." -msgstr "Zkouší funkci sdap_search_user_save_begin()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "vyzkoušet sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "Vyzkouší funkci sdap_search_user_save_end()." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "probe dp_req_send" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" -msgstr "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "RŮZNÉ FUNKCE" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" -msgstr "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -"funkce sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "funkce dp_target_str(target)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" -msgstr "funkce dp_method_str(target)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" -msgstr "Převést metodu na řetězec a vrátit řetězec" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 diff --git a/src/man/po/de.po b/src/man/po/de.po index fa324af6e56..cb8d12f780e 100644 --- a/src/man/po/de.po +++ b/src/man/po/de.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-14 11:53+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/" @@ -33,7 +33,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "SSSD-Handbuchseiten" @@ -79,7 +79,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "BESCHREIBUNG" @@ -150,7 +150,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -159,7 +159,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Dateiformate und Konventionen" @@ -322,12 +322,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Voreinstellung: »true«" @@ -344,19 +344,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Voreinstellung: »false«" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -379,8 +383,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Voreinstellung: 10" @@ -395,7 +399,7 @@ msgid "The [sssd] section" msgstr "Der Abschnitt [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Abschnittsparameter" @@ -449,12 +453,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -464,7 +468,7 @@ msgstr "" "startet." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Voreinstellung: 3" @@ -484,7 +488,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (Zeichenkette)" @@ -507,12 +511,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -524,32 +528,32 @@ msgstr "" "zusammengestellt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "Benutzername" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "Domain-Name, wie er durch die SSSD-Konfigurationsdatei angegeben wird" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." @@ -558,7 +562,7 @@ msgstr "" "direkt konfiguriert als auch über IPA-Trust" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -578,16 +582,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (Boolesch)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD überwacht den Status der »resolv.conf«, um festzustellen, wann es " "seinen internen DNS-Resolver aktualisieren muss. Standardmäßig werden wir " @@ -596,7 +619,7 @@ msgstr "" "abzufragen." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -607,7 +630,7 @@ msgstr "" "sollte diese Option auf »false« gesetzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -616,7 +639,7 @@ msgstr "" "»false« auf anderen Plattformen." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -625,12 +648,12 @@ msgstr "" "verfügbar ist, keine Auswirkungen haben." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -639,7 +662,7 @@ msgstr "" "Zwischenspeichers speichern sollte." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -649,7 +672,7 @@ msgstr "" "Ort für den Replay-Zwischenspeicher ist." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -658,12 +681,12 @@ msgstr "" "(__LIBKRB5_DEFAULTS__, falls nicht konfiguriert)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -676,17 +699,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -702,7 +725,7 @@ msgstr "" "ihrem Benutzernamen ohne auch eine Domain anzugeben." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -715,23 +738,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Voreinstellung: nicht gesetzt" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -741,7 +764,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -750,22 +773,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -773,69 +796,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Voreinstellung: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -843,19 +885,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -863,24 +905,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -889,7 +931,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -897,8 +939,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -906,68 +962,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -978,7 +1034,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -995,7 +1051,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "Voreinstellung: Nicht gesetzt" @@ -1018,12 +1074,12 @@ msgstr "" "verwendet. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "DIENSTABSCHNITTE" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1036,22 +1092,22 @@ msgstr "" "Abschnitt zum Beispiel <quote>[nss]</quote>." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Allgemeine Optionen zum Konfigurieren von Diensten" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Diese Optionen können zur Konfiguration jedes Dienstes benutzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1067,17 +1123,17 @@ msgstr "" "Begrenzung in der »limit.conf« sein." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "Voreinstellung: 8192 (oder die »harte« Begrenzung der »limit.conf«)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1087,18 +1143,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Voreinstellung: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1106,24 +1162,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1131,12 +1187,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1148,30 +1204,30 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Voreinstellung: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "NSS-Konfigurationsoptionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1179,12 +1235,12 @@ msgstr "" "benutzt werden" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1193,17 +1249,17 @@ msgstr "" "über alle Nutzer) zwischenspeichern?" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Voreinstellung: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1215,7 +1271,7 @@ msgstr "" "werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1232,7 +1288,7 @@ msgstr "" "Zwischenspeicheraktualisierung zu warten." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1245,17 +1301,17 @@ msgstr "" "Sekunden senken. (0 schaltet diese Funktionalität aus.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Voreinstellung: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1267,17 +1323,17 @@ msgstr "" "Backend erneut gefragt wird)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Voreinstellung: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1285,17 +1341,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1304,7 +1360,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1313,17 +1369,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Voreinstellung: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (Boolesch)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1331,12 +1387,12 @@ msgstr "" "setzen Sie diese Option auf »false«." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1345,7 +1401,7 @@ msgstr "" "es nicht explizit durch den Datenanbieter der Domain angegeben wurde." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1353,7 +1409,7 @@ msgstr "" "»override_homedir«." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1363,25 +1419,25 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" "Voreinstellung: nicht gesetzt (kein Ersetzen nicht gesetzter Home-" "Verzeichnisse)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1392,19 +1448,19 @@ msgstr "" "entweder im Abschnitt [nss] oder für jede Domain gesetzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" "Voreinstellung: nicht gesetzt (SSSD wird den von LDAP erhaltenen Wert " "benutzen)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" @@ -1412,12 +1468,12 @@ msgstr "" "Reihenfolge der Auswertung ist:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "1. Falls die Shell in »/etc/shells« vorhanden ist, wird sie benutzt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." @@ -1426,7 +1482,7 @@ msgstr "" "shells« steht, wird der Wert des Parameters »shell_fallback« verwendet." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." @@ -1435,12 +1491,12 @@ msgstr "" "steht, wird eine Nicht-Login-Shell benutzt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1448,13 +1504,13 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" "Eine leere Zeichenkette als Shell wird, so wie sie ist, an Libc übergeben." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." @@ -1463,28 +1519,28 @@ msgstr "" "Fall einer neu installierten Shell ein Neustart von SSSD nötig ist." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" "Voreinstellung: nicht gesetzt. Die Benutzer-Shell wird automatisch verwendet." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "ersetzt jedwede Instanz dieser Shells durch die aus »shell_fallback«." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" @@ -1492,17 +1548,17 @@ msgstr "" "auf dem Rechner installiert ist." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Voreinstellung: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." @@ -1512,7 +1568,7 @@ msgstr "" "jede Domain gesetzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" @@ -1522,12 +1578,12 @@ msgstr "" "Vernünftiges, üblicherweise /bin/sh, ersetzt.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." @@ -1536,38 +1592,38 @@ msgstr "" "gültig erachtet wird." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "user_attributes (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1578,48 +1634,48 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "Diese Option kann auch pro Domain gesetzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "PAM-Konfigurationsoptionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1628,12 +1684,12 @@ msgstr "" "Authentication Module« (PAM) einzurichten." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1643,17 +1699,17 @@ msgstr "" "erfolgreichen Anmeldung)?" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Voreinstellung: 0 (unbegrenzt)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1662,12 +1718,12 @@ msgstr "" "Authentifizierungsanbieter offline ist?" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1677,7 +1733,7 @@ msgstr "" "Anmeldeversuch möglich ist." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1689,17 +1745,17 @@ msgstr "" "Authentifizierung reaktivieren." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Voreinstellung: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1708,43 +1764,43 @@ msgstr "" "angezeigt werden. Je höher die Zahl, desto mehr Nachrichten werden angezeigt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "Derzeit unterstützt SSSD folgende Werte:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis>: keine Nachricht anzeigen" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis>: nur wichtige Nachrichten anzeigen" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis>: nur informative Nachrichten anzeigen" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" "<emphasis>3</emphasis>: alle Nachrichten und Debug-Informationen anzeigen" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Voreinstellung: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1753,61 +1809,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1819,7 +1875,7 @@ msgstr "" "den neusten Informationen erfolgt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1833,17 +1889,17 @@ msgstr "" "viele Abfragen der Identitätsanbieter zu vermeiden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "zeigt N Tage vor Ablauf des Passworts eine Warnung an." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1854,7 +1910,7 @@ msgstr "" "SSSD keine Warnung anzeigen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." @@ -1864,7 +1920,7 @@ msgstr "" "automatisch angezeigt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." @@ -1873,17 +1929,17 @@ msgstr "" "emphasis> für eine bestimmte Domain außer Kraft gesetzt werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Voreinstellung: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1893,75 +1949,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Voreinstellung: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1969,19 +2025,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1989,12 +2045,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -2002,77 +2058,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "Voreinstellung: False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2080,7 +2136,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2092,63 +2148,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2156,12 +2212,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2172,7 +2228,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2180,7 +2236,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2188,7 +2244,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2197,12 +2253,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "Sudo-Konfigurationsoptionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2220,12 +2276,12 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (Boolesch)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." @@ -2235,12 +2291,12 @@ msgstr "" "nicht." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2250,23 +2306,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "AUTOFS-Konfigurationsoptionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" "Diese Optionen können zum Konfigurieren des Dienstes »autofs« benutzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2277,23 +2333,23 @@ msgstr "" "nicht existierende), bevor das Backend erneut befragt wird." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "SSH-Konfigurationsoptionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" "Diese Optionen können zum Konfigurieren des SSH-Dienstes benutzt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (Boolesch)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." @@ -2302,12 +2358,12 @@ msgstr "" "»known_hosts« zusammengemischt werden oder nicht." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." @@ -2316,17 +2372,17 @@ msgstr "" "»known_hosts« behalten wird, bevor seine Rechnerschlüssel abgefragt werden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "Voreinstellung: 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2335,24 +2391,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +#, fuzzy +#| msgid "ldap_user_extra_attrs (string)" +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "ldap_user_extra_attrs (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set, i.e. FAST is not used." +msgid "Default: not set, all found rules are used" +msgstr "Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "PAC-Responder-Konfigurationsoptionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2363,7 +2450,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2374,7 +2461,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." @@ -2383,18 +2470,18 @@ msgstr "" "diesen Gruppen hinzugefügt." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" "Diese Optionen können zur Konfiguration des PAC-Responders verwendet werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2405,14 +2492,14 @@ msgstr "" "beim Starten zu UIDs aufgelöst." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" "Voreinstellung: 0 (Nur dem Benutzer Root ist der Zugriff auf den PAC-" "Responder gestattet.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2425,24 +2512,24 @@ msgstr "" "der Liste der erlaubten UIDs auch die 0 hinzufügen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2452,66 +2539,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2519,17 +2606,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2537,7 +2624,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2545,22 +2632,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "DOMAIN-ABSCHNITTE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2569,14 +2656,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2585,31 +2672,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id,max_id (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2618,7 +2705,7 @@ msgstr "" "enthält, der jenseits dieser Beschränkungen liegt, wird er ignoriert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2631,7 +2718,7 @@ msgstr "" "werden jene, die im Bereich liegen, wie erwartet gemeldet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." @@ -2640,17 +2727,17 @@ msgstr "" "den Zwischenspeicher und nicht nur ihre Rückgabe über Name oder ID." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Voreinstellung: 1 für »min_id«, 0 (keine Beschränkung) für »max_id«" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2659,29 +2746,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = Benutzer und Gruppen werden aufgezählt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = keine Aufzählungen für diese Domain" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Voreinstellung: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2695,7 +2782,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -2705,7 +2792,7 @@ msgstr "" "Ergebnisse zurück." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2720,7 +2807,7 @@ msgstr "" "benutzten »id_provider«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." @@ -2729,32 +2816,32 @@ msgstr "" "insbesondere in großen Umgebungen, nicht empfohlen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "subdomain_enumerate (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "all" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "Alle entdeckten vertrauenswürdigen Domains werden aufgezählt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "none" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "Keine der entdeckten vertrauenswürdigen Domains wird aufgezählt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2768,12 +2855,12 @@ msgstr "" "Domains aktivieren." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -2782,7 +2869,7 @@ msgstr "" "soll, bevor das Backend erneut abgefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2800,17 +2887,17 @@ msgstr "" "wurden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Voreinstellung: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" @@ -2819,19 +2906,19 @@ msgstr "" "betrachten soll, bevor das Backend erneut abgefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "Voreinstellung: entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" @@ -2840,12 +2927,12 @@ msgstr "" "betrachten soll, bevor das Backend erneut abgefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" @@ -2854,12 +2941,12 @@ msgstr "" "betrachten soll, bevor das Backend erneut abgefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" @@ -2868,12 +2955,12 @@ msgstr "" "betrachten soll, bevor das Backend erneut abgefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" @@ -2882,12 +2969,12 @@ msgstr "" "bevor das Backend erneut abgefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" @@ -2897,24 +2984,24 @@ msgstr "" "wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." @@ -2924,7 +3011,7 @@ msgstr "" "abgelaufenen oder beinahe abgelaufenen Daten aktualisiert werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2933,48 +3020,48 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" "Sie können in Betracht ziehen, diesen Wert auf 3/4 * entry_cache_timeout zu " "setzen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "Voreinstellung: 0 (deaktiviert)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" "bestimmt, ob auch Benutzerberechtigungen im lokalen LDB-Zwischenspeicher " "zwischengespeichert werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" "Benutzerberechtigungen werden in einem SHA512-Hash, nicht im Klartext " "gespeichert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2982,24 +3069,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -3012,17 +3099,17 @@ msgstr "" "Parameters muss größer oder gleich »offline_credentials_expiration« sein." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Voreinstellung: 0 (unbegrenzt)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -3035,17 +3122,17 @@ msgstr "" "Authentifizierungsanbieter konfiguriert werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "Voreinstellung: 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" @@ -3053,18 +3140,18 @@ msgstr "" "werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3072,7 +3159,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3083,8 +3170,8 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3097,8 +3184,8 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3110,12 +3197,12 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." @@ -3125,7 +3212,7 @@ msgstr "" "Benutzers, der an NSS gemeldet wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3139,7 +3226,7 @@ msgstr "" "test@LOCAL</command> würde ihn hingegen finden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3151,22 +3238,22 @@ msgstr "" "nicht voll qualifizierter Name angefragt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "gibt beim Nachschlagen der Gruppe nicht die Gruppenmitglieder zurück." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3178,7 +3265,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3186,12 +3273,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3200,7 +3287,7 @@ msgstr "" "Authentifizierungsanbieter werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3211,7 +3298,7 @@ msgstr "" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3223,24 +3310,24 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" "»proxy« zur Weitergabe der Authentifizierung an irgendein anderes PAM-Ziel" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "»local«: SSSDs interner Anbieter für lokale Benutzer" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "»none« deaktiviert explizit die Authentifizierung." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3249,12 +3336,12 @@ msgstr "" "mit Authentifizierungsanfragen umgehen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3265,7 +3352,7 @@ msgstr "" "Backends enthalten sind). Interne Spezialanbieter sind:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." @@ -3274,12 +3361,12 @@ msgstr "" "für eine lokale Domain." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "»deny« verweigert dem Zugriff immer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3292,7 +3379,7 @@ msgstr "" "simple</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3300,22 +3387,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Voreinstellung: »permit«" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3324,7 +3411,7 @@ msgstr "" "Folgende Anbieter von Passwortänderungen werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3332,7 +3419,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3344,19 +3431,19 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "»none« verbietet explizit Passwortänderungen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3365,19 +3452,19 @@ msgstr "" "kann mit Passwortänderungsanfragen umgehen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" "der für diese Domain benutzte Sudo-Anbieter. Folgende Sudo-Anbieter werden " "unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3388,7 +3475,7 @@ msgstr "" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." @@ -3397,7 +3484,7 @@ msgstr "" "Vorgabeeinstellungen für IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." @@ -3406,19 +3493,19 @@ msgstr "" "Vorgabeeinstellungen für AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "»none« deaktiviert explizit Sudo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" "Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3435,7 +3522,7 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3444,12 +3531,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3460,7 +3547,7 @@ msgstr "" "Zugriffsanbieter beendet hat. Folgende SELinux-Anbieter werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3472,12 +3559,12 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "»none« verbietet explizit das Abholen von SELinux-Einstellungen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." @@ -3486,12 +3573,12 @@ msgstr "" "kann SELinux-Ladeanfragen handhaben." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" @@ -3501,7 +3588,7 @@ msgstr "" "werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3513,7 +3600,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3522,17 +3609,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "»none« deaktiviert explizit das Abholen von Subdomains." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3540,37 +3627,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" @@ -3578,7 +3665,7 @@ msgstr "" "»autofs« werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3590,7 +3677,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3602,7 +3689,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3610,17 +3697,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "»none« deaktiviert explizit »autofs«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" @@ -3629,7 +3716,7 @@ msgstr "" "wird. Folgende Anbieter von »hostid« werden unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3641,12 +3728,12 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "»none« deaktiviert explizit »hostid«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3661,7 +3748,7 @@ msgstr "" "(NetBIOS-) Namen der Domain entsprechen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3673,22 +3760,22 @@ msgstr "" "P<Name>[^@\\\\]+)$))« " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "Benutzername" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "Benutzername@Domain.Name" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "Domain\\Benutzername" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." @@ -3698,7 +3785,7 @@ msgstr "" "Windows-Domains zu ermöglichen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3708,7 +3795,7 @@ msgstr "" "bedeutet »der Name ist alles bis zum »@«-Zeichen, die Domain alles danach«" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3718,17 +3805,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Voreinstellung: »%1$s@%2$s«" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -3736,46 +3823,46 @@ msgstr "" "ermöglicht es, die bei DNS-Abfragen zu bevorzugende Adressfamilie zu wählen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "unterstützte Werte:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" "ipv4_first: versucht die IPv4- und, falls dies fehlschlägt, die IPv6-Adresse " "nachzuschlagen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "ipv4_only: versucht, nur Rechnernamen zu IPv4-Adressen aufzulösen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" "ipv6_first: versucht die IPv6- und, falls dies fehlschlägt, die IPv4-Adresse " "nachzuschlagen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "ipv6_only: versucht, nur Rechnernamen zu IPv6-Adressen aufzulösen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Voreinstellung: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3784,25 +3871,25 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Voreinstellung: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -3811,52 +3898,52 @@ msgstr "" "DNS-Dienstabfrage an." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "Voreinstellung: Der Domain-Teil des Rechnernamens wird benutzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "überschreibt die Haupt-GID mit der angegebenen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3864,7 +3951,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3873,17 +3960,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3891,34 +3978,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3926,32 +4013,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "flacher (NetBIOS-) Name einer Subdomain" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3966,7 +4053,7 @@ msgstr "" "verwendet werden. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" @@ -3974,17 +4061,17 @@ msgstr "" "überschrieben werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "Voreinstellung: <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" @@ -3992,12 +4079,12 @@ msgstr "" "Kennzeichnungen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -4006,19 +4093,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -4026,24 +4113,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -4052,24 +4139,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -4079,14 +4166,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -4094,21 +4181,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -4116,7 +4203,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -4125,7 +4212,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -4134,7 +4221,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -4146,17 +4233,17 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "das Proxy-Ziel, an das PAM weiterleitet" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -4166,12 +4253,12 @@ msgstr "" "hinzufügen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -4182,12 +4269,12 @@ msgstr "" "$(libName)_$(function)«, zum Beispiel »_nss_files_getpwent«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4201,12 +4288,12 @@ msgstr "" "veranlassen, die ID im Zwischenspeicher nachzuschlagen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4214,7 +4301,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4223,12 +4310,12 @@ msgstr "" "\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4245,7 +4332,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4253,17 +4340,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4272,7 +4359,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4282,7 +4369,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4302,12 +4389,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "Der Abschnitt lokale Domain" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4318,29 +4405,29 @@ msgstr "" "<replaceable>ID_Anbieter=lokal</replaceable> benutzt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" "die Standard-Shell für Anwender, die mit den SSSD-Werkzeugen für den " "Benutzerbereich erstellt wurde." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Voreinstellung: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4349,17 +4436,17 @@ msgstr "" "replaceable> und benutzen dies als Home-Verzeichnis." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Voreinstellung: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (Boolesch)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." @@ -4368,17 +4455,17 @@ msgstr "" "werden soll; kann auf der Befehlszeile überschrieben werden" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Voreinstellung: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (Boolesch)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." @@ -4387,12 +4474,12 @@ msgstr "" "entfernt werden soll; kann auf der Befehlszeile überschrieben werden" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4403,17 +4490,17 @@ msgstr "" "Standardzugriffsrechte für ein neu erstelltes Home-Verzeichnis anzugeben." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Voreinstellung: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4426,17 +4513,17 @@ msgstr "" "<manvolnum>8</manvolnum> </citerefentry> erstellt wird" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Voreinstellung: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4447,17 +4534,17 @@ msgstr "" "wurde. Ist dies nicht angegeben wird ein Standardwert verwendet." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Voreinstellung: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4469,17 +4556,17 @@ msgstr "" "berücksichtigt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Voreinstellung: keine, es wird kein Befehl ausgeführt" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4490,69 +4577,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4565,7 +4652,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4573,7 +4660,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4582,55 +4669,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4639,17 +4726,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4657,26 +4744,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4685,17 +4772,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4705,7 +4792,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4714,59 +4801,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4774,14 +4861,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4789,7 +4876,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4797,12 +4884,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4856,7 +4943,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4865,7 +4952,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4873,7 +4960,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4884,7 +4971,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4898,7 +4985,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4968,12 +5055,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "KONFIGURATIONSOPTIONEN" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4988,18 +5075,18 @@ msgstr "" "aktiviert. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" "Das Format der URI muss dem in RFC 2732 definierten Format entsprechen:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<Rechner>[:Port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" @@ -5007,17 +5094,17 @@ msgstr "" "eckigen Klammern [] stehen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "Beispiel: ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -5030,31 +5117,31 @@ msgstr "" "Redundanz finden Sie im Abschnitt »AUSFALLSICHERUNG«. " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "Um die Dienstsuche zu aktivieren, muss »ldap_chpass_dns_service_name« " "gesetzt sein." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Voreinstellung: leer, d.h., dass »ldap_uri« benutzt wird" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" "der Standardbasis-Domain-Name, der zur Durchführung von LDAP-" "Benutzeraktionen benutzt wird" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" @@ -5063,20 +5150,20 @@ msgstr "" "Syntax:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" "search_base[?Gültigkeitsbereich?[Filter][?search_base?Gültigkeitsbereich?" "[Filter]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" "Der Gültigkeitsbereich kann entweder »base«, »onelevel« oder »subtree« sein." #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" @@ -5084,14 +5171,14 @@ msgstr "" "Der Filter muss ein gültiger LDAP-Suchfilter, wie durch http://www.ietf.org/" "rfc/rfc2254.txt spezifiziert, sein." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Beispiele:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -5100,7 +5187,7 @@ msgstr "" "dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -5109,7 +5196,7 @@ msgstr "" "(host=Dieser_Rechner)?dc=example.com?Unterverzeichnis?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -5122,7 +5209,7 @@ msgstr "" "Verhalten auf Client-Rechnern führen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -5139,12 +5226,12 @@ msgstr "" "haben, damit dies funktioniert. Mehrere Werte werden nicht unterstützt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -5156,32 +5243,32 @@ msgstr "" "gehandhabt werden, kann sich ebenfalls unterscheiden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "Derzeit werden vier Schematypen unterstützt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -5199,37 +5286,37 @@ msgstr "" "Attribute passend zu den Werten von Active Directory 2008r2." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Voreinstellung: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5238,59 +5325,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" "der Standard-Bind-Domain-Name, der zum Durchführen von LDAP-Aktionen benutzt " "wird" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "der Typ des Authentifizierungs-Tokens des Standard-Bind-Domain-Namens" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "Die beiden derzeit unterstützten Mechanismen sind:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Voreinstellung: password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5299,11932 +5386,12224 @@ msgstr "" "nur Klartextpasswörter unterstützt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "die Objektklasse eines Benutzereintrags in LDAP" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Voreinstellung: posixAccount" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "das LDAP-Attribut, das zum Anmeldenamen des Benutzers gehört" +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" +"Einige Verzeichnisserver, zum Beispiel Active Directory, könnten den Realm-" +"Teil der UPN in Kleinbuchstaben liefern, was zum Scheitern der " +"Authentifizierung führen kann. Setzen Sie diese Option auf einen Wert " +"ungleich Null, falls Sie einen Realm in Großbuchstaben wünschen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." -msgstr "das LDAP-Attribut, das zu der ID des Benutzers gehört" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "Voreinstellung: uidNumber" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"gibt an, wie viele Sekunden lang SSSD warten soll, bevor es seinen " +"Zwischenspeicher aufgezählter Datensätze aktualisiert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." -msgstr "das LDAP-Attribut, das zu der Hauptgruppen-ID des Benutzers gehört" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "Voreinstellung: gidNumber" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" +"bestimmt, wie oft der Zwischenspeicher auf inaktive Einträge überprüft wird " +"(wie Gruppen ohne Mitglieder und Benutzer, die sich noch nie angemeldet " +"haben) und diese entfernt werden, um Platz zu sparen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:334 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (Ganzzahl)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (Zeichenkette)" +"Falls »ldap_schema« auf ein Format gesetzt ist, das verschachtelte Gruppen " +"(z.B. RFC2307bis) unterstützt, dann steuert diese Option, wie viele Stufen " +"tief SSSD der Verschachtelung folgt. Diese Option hat keine Auswirkungen auf " +"das Schema RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "das LDAP-Attribut, das zum Gecos-Feld des Benutzers gehört" +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" +"Hinweis: Diese Option gibt die garantierte Tiefe verschachtelter Gruppen an, " +"die bei Suchvorgängen verarbeitet werden soll. Dennoch <emphasis>können</" +"emphasis> auch tiefer verschachtelte Gruppen einbezogen werden, falls bei " +"früheren Suchvorgängen die tieferen Ebenen bereits einmal berücksichtigt " +"wurden. Außerdem können folgende Suchvorgänge für andere Gruppen die " +"Ergebnisse des ursprünglichen Suchvorgangs vergrößern, wenn die Suche erneut " +"erfolgt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "Voreinstellung: gecos" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (Zeichenkette)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Voreinstellung: 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" -"das LDAP-Attribut, das den Namen des Home-Verzeichnisses des Benutzers " -"enthält" +"Diese Optionen aktivieren oder deaktivieren die Verwendung des Token-Gruppen-" +"Attributs, wenn »initgroup« für Benutzers des Active Directory Servers 2008 " +"und neuere Versionen ausgeführt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (Zeichenkette)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" -"das LDAP-Attribut, das den Pfad zur Standard-Shell des Benutzers enthält" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " +"Rechnerobjekte" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Voreinstellung: loginShell" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"Informationen über das Konfigurieren mehrerer Suchgrundlagen finden Sie " +"unter »ldap_search_base«." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Voreinstellung: der Wert von <emphasis>ldap_search_base</emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "" +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem LDAP-" +"Suchen laufen dürfen, bevor sie abgebrochen und die zwischengespeicherten " +"Ergebnisse zurückgegeben werden (und in den Offline-Modus gegangen wird)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" +"Hinweis: Diese Option ist in zukünftigen Versionen von SSSD Gegenstand von " +"Änderungen. Sie wird wahrscheinlich an einigen Stellen durch Serien von " +"Zeitüberschreitungspunkten für spezielle Nachschlagetypen ersetzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (Zeichenkette)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" -"das LDAP-Attribut, das die objectSID eines LDAP-Benutzerobjekts enthält. " -"Dies wird normalerweise nur für Active-Directory-Server benötigt." +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem LDAP-" +"Suchen nach Benutzer- und Gruppenaufzählungen laufen dürfen, bevor sie " +"abgebrochen und die zwischengespeicherten Ergebnisse zurückgegeben werden " +"(und in den Offline-Modus gegangen wird)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +#: sssd-ldap.5.xml:461 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, nach dem " +"<citerefentry> <refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " +"<manvolnum>2</manvolnum> </citerefentry> gefolgt von einem <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> zurückkehrt, falls keine Aktivität stattfindet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (Zeichenkette)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:487 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" -"das LDAP-Attribut, das den Zeitstempel der letzten Änderung im " -"übergeordneten Objekt enthält" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Voreinstellung: modifyTimestamp" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (Zeichenkette)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " -"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (Datum der letzten Passwortänderung) gehört." +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem eine " +"Verbindung zu einem LDAP-Server aufrechterhalten wird. Nach dieser Zeit wird " +"die Verbindung erneut aufgebaut. Wird dies parallel zu SASL/GSSAPI benutzt, " +"wird der frühere der beiden Werte (dieser Wert gegenüber der TGT-" +"Lebensdauer) verwendet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Voreinstellung: shadowLastChange" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "Voreinstellung: 900 (15 Minuten)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (Zeichenkette)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " -"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (Mindestpasswortalter) gehört." +"gibt die Anzahl der Datensätze an, die in einer einzelnen Anfrage von LDAP " +"empfangen werden. Einige LDAP-Server erzwingen eine Begrenzung des Maximums " +"pro Anfrage." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Voreinstellung: shadowMin" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Voreinstellung: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (Zeichenkette)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " -"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (maximales Passwortalter) gehört." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Voreinstellung: shadowMax" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (Zeichenkette)" +"deaktiviert die Seitenadressierungssteuerung von LDAP. Diese Option sollte " +"benutzt werden, falls der LDAP-Server meldet, dass er die LDAP-" +"Seitenadressierungssteuerung in seinem RootDSE unterstützt, sie jedoch " +"deaktiviert ist oder sich nicht ordnungsgemäß verhält." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " -"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (Passwortwarnperiode) gehört." +"Beispiel: OpenLDAP-Server, bei denen das Seitenadressierungssteuerungsmodul " +"installiert, aber nicht aktiviert ist, werden es im RootDSE melden, sind " +"aber nicht in der Lage, es zu benutzen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Voreinstellung: shadowWarning" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Beispiel: 389 DS hat einen Fehler, durch den es gleichzeitig nur eine " +"einzige Seitenadressierungssteuerung für eine einzelne Verbindung benutzen " +"kann. Bei ausgelasteten Clients kann dies dazu führen, dass manche Anfragen " +"abgelehnt werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (Zeichenkette)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 -msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." -msgstr "" -"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " -"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (Passwortinaktivitätsperiode) gehört." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." +msgstr "deaktiviert die Bereichsabfrage von Active Directory" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Voreinstellung: shadowInactive" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"Active Directory begrenzt die Anzahl der Mitglieder, die in einem einzigen " +"Nachschlagen mittels der MaxValRange-Richtlinie empfangen werden können (die " +"Voreinstellung sind 1.500 Mitglieder). Falls eine Gruppe mehr Mitglieder " +"enthält, wird die Antwort eine AD-spezifische Bereichserweiterung enthalten. " +"Diese Option deaktiviert das Auswerten der Bereichserweiterung, daher wird " +"es so aussehen, als ob große Gruppen keine Mitglieder hätten." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (Zeichenkette)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " -"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (Ablaufdatum des Kontos) gehört." +"Wenn mittels SASL mit einem LDAP-Server kommuniziert wird, gibt dies die " +"mindestens nötige Sicherheitsstufe zum Herstellen der Verbindung an. Die " +"Werte dieser Option werden durch OpenLDAP definiert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Voreinstellung: shadowExpire" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Voreinstellung: verwendet die Voreinstellungen des System (normalerweise in " +"»ldap.conf« angegeben)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (Zeichenkette)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter " -"den Namen eines LDAP-Attributs, in dem Datum und Zeit der letzten " -"Passwortänderung in Kerberos gespeichert sind." +"gibt die Anzahl der Gruppenmitglieder an, die aus dem internen " +"Zwischenspeicher fehlen muss, um ein dereferenzierendes Nachschlagen " +"auszulösen. Falls weniger Mitglieder fehlen, werden sie individuell " +"nachgeschlagen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Voreinstellung: krbLastPwdChange" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (Zeichenkette)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" -"Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter " -"den Namen eines LDAP-Attributs, welches das Datum und die Zeit enthält, wann " -"das aktuelle Passwort erlischt." +"Dereferenzierendes Nachschlagen ist ein Mittel, um alle Gruppenmitglieder in " +"einem einzigen LDAP-Aufruf abzuholen. Verschiedene LDAP-Server können " +"unterschiedliche Methoden zum Dereferenzieren implementieren. Die derzeit " +"unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Voreinstellung: krbPasswordExpiration" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Hinweis:</emphasis> Falls eine der Suchgrundlagen einen Suchfilter " +"angibt, wird die Verbesserung der Leistung beim dereferenzierenden " +"Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (Zeichenkette)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" -"Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter " -"den Namen eines LDAP-Attributs, in dem die Zeit gespeichert ist, wann das " -"Konto erlischt." +"gibt an, welche Prüfungen von Server-Zertifikaten in einer TLS-Sitzung " +"durchgeführt werden, falls vorhanden. Dies kann in Form einer der folgenden " +"Werte angegeben werden:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "Voreinstellung: accountExpires" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (Zeichenkette)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = Der Client wird kein Server-Zertifikat prüfen " +"oder anfordern." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" -"Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter " -"den Namen eines LDAP-Attributs, in dem das Steuer-Bit-Feld des " -"Benutzerkontos gespeichert ist." +"<emphasis>allow</emphasis> = Das Server-Zertifikat wird angefordert. Falls " +"kein Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls " +"ein ungültiges Zertifikat bereitgestellt wird, wird es ignoriert und die " +"Sitzung fährt normal fort." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "Voreinstellung: userAccountControl" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (Zeichenkette)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = Das Server-Zertifikat wird angefordert. Falls das " +"Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls ein " +"ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" -"Wenn »ldap_account_expire_policy=rhds« oder Entsprechendes benutzt wird, " -"legt dieser Parameter fest, ob Zugriff gewährt wird oder nicht." +"<emphasis>demand</emphasis> = Das Server-Zertifikat wird angefordert. Falls " +"kein oder ein ungültiges Zertifikat bereitgestellt wird, wird die Sitzung " +"sofort beendet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "Voreinstellung: nsAccountLock" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = entspricht »demand«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Voreinstellung: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (Zeichenkette)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" -"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut " -"fest, ob Zugriff gewährt wird oder nicht." +"gibt die Datei an, die Zertifikate für alle Zertifizierungstellen enthält, " +"die <command>sssd</command> erkennen wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "Voreinstellung: loginDisabled" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Voreinstellung: verwendet OpenLDAP-Voreinstellungen, normalerweise aus " +"<filename>/etc/openldap/ldap.conf</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (Zeichenkette)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:698 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" -"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieser Parameter " -"fest, bis zu welchem Datum Zugriff gewährt wird." +"gibt den Pfad eines Verzeichnisses an, das Zertifikate von " +"Zertifizierungstellen in separaten individuellen Dateien enthält. Die " +"Dateinamen sollen normalerweise ein Hash-Wert des Zertifikats gefolgt von " +"».0« sein. Falls verfügbar, kann <command>cacertdir_rehash</command> zum " +"Erstellen der korrekten Namen verwendet werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (Zeichenkette)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut die " -"Stunden eines Wochentages fest, in denen Zugriff gewährt wird." +"gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "Voreinstellung: loginAllowedTimeMap" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "gibt die Datei an, die den Schlüssel des Clients enthält." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (Zeichenkette)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:741 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -"das LDAP-Attribut, das den Kerberos User Principal Name (UPN/" -"Hauptbenutzername) enthält." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Voreinstellung: krbPrincipalName" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "ldap_user_extra_attrs (Zeichenkette)" +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 +#: sssd-ldap.5.xml:757 msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" -"Durch Kommata getrennte Liste der LDAP-Attribute, die SSSD zusammen mit den " -"üblichen Benutzerattributen holen soll." +"gibt an, dass die Verbindung »id_provider« auch <systemitem class=\"protocol" +"\">tls</systemitem> benutzen muss, um den Kanal abzusichern." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 +#: sssd-ldap.5.xml:770 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" -"Die Liste kann entweder nur Namen von LDAP-Attributen enthalten, oder durch " -"Doppelpunkte getrennte Tupel aus Attributnamen des SSSD-Zwischenspeichers " -"und Namen von LDAP-Attributen. Wenn nur die Namen von LDAP-Attributen " -"angegeben werden, wird das Attribut unverändert im Zwischenspeicher " -"gespeichert. Die Verwendung eines benutzerdefinierten SSSD-Attributnamens " -"kann in Umgebungen notwendig sein, in denen mehrere SSSD-Domains mit " -"unterschiedlichen LDAP-Schemata eingerichtet sind." +"gibt an, dass SSSD versuchen soll, die Benutzer- und Gruppen-ID von den " +"Attributen »ldap_user_objectsid« und »ldap_group_objectsid« abzubilden, " +"statt sich auf »ldap_user_uid_number« und »ldap_group_gid_number« zu " +"verlassen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" -"Bitte beachten Sie, dass diverse Attributnamen durch SSSD reserviert sind, " -"beispielsweise das Attribut <quote>name</quote>. SSSD würde einen Fehler " -"melden, falls eines der reservierten Attribute als zusätzlicher Attributname " -"verwendet wird." +"Derzeit unterstützt diese Funktionalität nur das Abbilden von Active-" +"Directory-ObjectSIDs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:789 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" -"Speichert das Attribut <quote>telephoneNumber</quote> von LDAP als " -"<quote>telephoneNumber</quote> im Zwischenspeicher." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" -msgstr "ldap_user_extra_attrs = phone:telephoneNumber" +"Im Gegensatz zum SID-basierten ID-Abbilden, das benutzt wird, falls " +"»ldap_id_mapping« auf »true« gesetzt ist, ist der erlaubte ID-Bereich für " +"»ldap_user_uid_number« und »ldap_group_gid_number« offen. In einer " +"Konfiguration mit Unter-Domains und vertrauenswürdigen Domains könnte dies " +"zu ID-Kollisionen führen. Um Kollisionen zu vermeiden, können »ldap_min_id« " +"und »ldap_max_id« zum Begrenzen des erlaubten Bereichs für direkt vom Server " +"gelesene IDs verwendet werden. Unter-Domains können dann andere Bereiche zur " +"Abbildung von IDs wählen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." -msgstr "" -"Speichert das Attribut <quote>telephoneNumber</quote> von LDAP als " -"<quote>phone</quote> im Zwischenspeicher." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" +msgstr "Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (Zeichenkette)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:810 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" -"das LDAP-Attribut, das die öffentlichen SSH-Schlüssel des Benutzers enthält" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:814 +msgid "" +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (Boolesch)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -"Einige Verzeichnisserver, zum Beispiel Active Directory, könnten den Realm-" -"Teil der UPN in Kleinbuchstaben liefern, was zum Scheitern der " -"Authentifizierung führen kann. Setzen Sie diese Option auf einen Wert " -"ungleich Null, falls Sie einen Realm in Großbuchstaben wünschen." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:833 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -"gibt an, wie viele Sekunden lang SSSD warten soll, bevor es seinen " -"Zwischenspeicher aufgezählter Datensätze aktualisiert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" +msgstr "Voreinstellung Rechner/MeinRechner@BEREICH" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (Ganzzahl)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:862 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" -"bestimmt, wie oft der Zwischenspeicher auf inaktive Einträge überprüft wird " -"(wie Gruppen ohne Mitglieder und Benutzer, die sich noch nie angemeldet " -"haben) und diese entfernt werden, um Platz zu sparen." +"gibt den SASL-Realm an, der benutzt werden soll. Wurde diese Option nicht " +"angegeben, ist die Voreinstellung der Wert von »krb5_realm«. Falls " +"»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." -msgstr "" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "Voreinstellung: der Wert von »krb5_realm«" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (Zeichenkette)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht" +#: sssd-ldap.5.xml:877 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"Falls dies auf »true« gesetzt wäre, würde die LDAP-Bibliothek ein " +"umgekehrtes Nachschlagen durchführen, um den Rechnernamen während eines SASL-" +"Bind in eine kanonische Form zu bringen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Voreinstellung: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Voreinstellung: false;" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (Zeichenkette)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" -"das LDAP-Attribut, das die Gruppenmitgliedschaften des Benutzers aufführt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "Voreinstellung: memberOf" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Voreinstellung: Keytab des Systems, normalerweise <filename>/etc/krb5." +"keytab</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (Zeichenkette)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -"Falls »access_provider=ldap« und »ldap_access_order=authorized_service« " -"benutzt werden, wird SSSD die Anwesenheit das Attributs »authorizedService« " -"im LDAP-Eintrag den Benutzers nutzen, um die Zugriffsrechte zu bestimmen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:919 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" -"Ein explizites Verweigern (»!svc«) wird zuerst aufgelöst. Als Zweites sucht " -"SSSD eine explizite Erlaubnis (»svc«) und zuletzt nach »allow_all« (*)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Voreinstellung: 86400 (24 Stunden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:932 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« " -"»authorized_service« enthalten <emphasis>muss</emphasis>, damit die Option " -"»ldap_user_authorized_service« funktioniert." +"gibt die durch Kommata getrennte Liste von IP-Adressen bzw. Rechnernamen von " +"Kerberos-Servern in der Reihenfolge an, in der sich SSSD mit ihnen verbinden " +"soll. Weitere Informationen über Ausfallsicherung und Redundanz finden Sie " +"im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder Rechnernamen kann eine " +"optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt " +"werden. Falls dies leer gelassen wurde, wird die Dienstsuche aktiviert. " +"Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" +"Wenn die Dienstsuche für Schlüsselverwaltungszentralen- (KDC) oder Kpasswd-" +"Server benutzt wird, durchsucht SSSD zuerst die DNS-Einträge, die_udp als " +"Protokoll angeben. Falls keine gefunden werden, weicht es auf _tcp aus." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "Voreinstellung: authorizedService" +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Diese Option hieß in früheren Veröffentlichungen von SSSD »krb5_kdcip«. " +"Obwohl der alte Name einstweilen noch in Erinnerung ist, wird Anwendern " +"geraten, ihre Konfigurationsdateien auf die Verwendung von »krb5_server« zu " +"migrieren." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (Zeichenkette)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 -msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" -"Falls »access_provider=ldap« und »ldap_access_order=host« benutzt werden, " -"wird SSSD die Anwesenheit das Attributs »host« im LDAP-Eintrag den Benutzers " -"verwenden, um die Zugriffsrechte zu bestimmen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" -"Ein explizites Verweigern (»!host«) wird zuerst aufgelöst. Als Zweites sucht " -"SSSD eine explizite Erlaubnis (»host«) und zuletzt nach »allow_all« (*)." +"Voreinstellung: Systemvoreinstellungen, siehe <filename>/etc/krb5.conf</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:974 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" -"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« »host« " -"enthalten <emphasis>muss</emphasis>, damit die Option " -"»ldap_user_authorized_host« funktioniert." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "Voreinstellung: host" +"gibt an, ob der Host Principal beim Verbinden mit einem LDAP-Server in eine " +"kanonische Form gebracht werden soll. Diese Funktionalität ist mit MIT " +"Kerberos >= 1.7 verfügbar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" +"gibt an, ob SSSD die Kerberos-Bibliotheken anweisen soll, welcher Realm und " +"welche Schlüsselverwaltungszentralen (KDCs) benutzt werden sollen. Diese " +"Option ist standardmäßig eingeschaltet. Falls Sie sie ausschalten, müssen " +"Sie die Kerberos-Bibliothek mittels der Konfigurationsdatei " +"<citerefentry><refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> einrichten." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" +"Weitere Informationen über die Locator-Erweiterung finden Sie auf der " +"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:1017 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" +"wählt das Regelwerk, anhand dessen das Client-seitige Erlöschen des " +"Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" +"<emphasis>none</emphasis> – keine Client-seitige Abschätzung. Diese Option " +"kann keine Server-seitigen Passwortregelwerke deaktivieren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" +"<emphasis>shadow</emphasis> – benutzt Attribute im Stil von " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>, um abzuschätzen, ob das Passwort erloschen ist." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" +"<emphasis>mit_kerberos</emphasis> – verwendet die von MIT Kerberos benutzten " +"Attribute, um zu bestimmen, ob das Passwort erloschen ist. Verwenden Sie " +"»chpass_provider=krb5«, um diese Attribute zu aktualisieren, wenn das " +"Passwort geändert wurde." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" +"<emphasis>Hinweis</emphasis>: Falls serverseitig eine Passwortregel " +"konfiguriert ist, hat diese stets Vorrang vor der mit dieser Option " +"festgelegten Regel." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." -msgstr "" +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "gibt an, ob automatische Verweisverfolgung aktiviert werden soll." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1057 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" +"Bitte beachten Sie, dass SSSD nur Verweisverfolgung unterstützt, falls es " +"mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" +"Verweisverfolgungen können in Umgebungen, die ausgiebig von ihnen Gebrauch " +"machen, einen Leistungsnachteil erleiden, ein beachtenswertes Beispiel ist " +"Microsoft Active Directory. Falls ihre Installation Verweisverfolgungen " +"nicht tatsächlich benötigt, könnte diese Option auf »false« zu setzen eine " +"merkliche Leistungsverbesserung bringen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (Zeichenkette)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "die Objektklasse eines Gruppeneintrags in LDAP" +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Voreinstellung: posixGroup" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Voreinstellung: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (Zeichenkette)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "das LDAP-Attribut, das dem Gruppennamen entspricht" +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"gibt den Dienstnamen an, der zum Finden eines LDAP-Servers benutzt werden " +"soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (Zeichenkette)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "das LDAP-Attribut, das der Gruppen-ID entspricht" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"gibt an, ob das Attribut »ldap_user_shadow_last_change« nach einer " +"Passwortänderung mit Unix-Zeit geändert wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (Zeichenkette)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "das LDAP-Attribut, das die Namen der Gruppenmitglieder enthält" +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" +"Falls access_provider = ldap und ldap_access_order = filter ist " +"(Voreinstellung), dann ist diese Option obligatorisch. Sie gibt ein " +"Suchfilterkriterium für LDAP an, dass auf den Benutzer passen muss, damit " +"diesem Zugriff auf den Host gewährt wird. Falls access_provider = ldap und " +"ldap_access_order = filter ist und diese Option nicht gesetzt ist, wird " +"allen Benutzern der Zugriff verweigert. Verwenden Sie access_provider = " +"permit, um dieses Standardverhalten zu ändern. Bitte beachten Sie, dass " +"dieser Filter nur auf den LDAP-Benutzereintrag angewendet wird und daher die " +"auf verschachtelten Gruppen basierende Filterung nicht funktioniert. " +"Beispielsweise zeigt das Active-Directory-Attribut »memberOf« nur auf die " +"unmittelbaren Eltern. Falls die Filterung basierend auf verschachtelten " +"Gruppen erforderlich sein sollte, finden Sie genauere Anweisungen in der " +"Handbuchseite zu <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "Voreinstellung: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Beispiel:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1148 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (Zeichenkette)" +"In diesem Beispiel wird der Zugriff auf diesen Host auf jene Benutzer " +"beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1153 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" -"das LDAP-Attribut, das die ObjectSID eines LDAP-Gruppenobjekts enthält. Dies " -"wird normalerweise nur für Active-Directory-Server benötigt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "Voreinstellung: leer" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" -msgstr "ldap_group_type (Ganzzahl)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" -"Das LDAP-Attribut, das einen Ganzzahlwert enthält, der den Gruppentyp und " -"eventuell weitere Flags enthält." +"Mit dieser Option kann eine Client-seitige Abschätzung der " +"Zugriffssteuerungsattribute aktiviert werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1174 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" -"Dieses Attribut wird derzeit nur vom AD-Anbieter verwendet, um zu ermitteln, " -"ob eine Gruppe eine lokale Domain-Gruppe ist und aus den vertrauenswürdigen " -"Domains herausgefiltert werden sollte." +"Bitte beachten Sie, dass die Server-seitige Zugriffssteuerung generell " +"empfohlen wird, d.h. der LDAP-Server sollte die Bind-Abfrage sogar dann mit " +"einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "Die folgenden Werte sind erlaubt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" +"<emphasis>shadow</emphasis>: verwendet den Wert von " +"»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis>: verwendet den Wert des 32-Bit-Felds " +"»ldap_user_ad_user_account_control« und ermöglicht den Zugriff, falls das " +"zweite Bit nicht gesetzt ist. Falls das Attribut fehlt, wird Zugriff " +"gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: verwenden den Wert von »ldap_ns_account_lock«, um zu prüfen, ob " +"Zugriff erlaubt wird oder nicht." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1202 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" +"<emphasis>nds</emphasis>: Die Werte von " +"»ldap_user_nds_login_allowed_time_map«, »ldap_user_nds_login_disabled« und " +"»ldap_user_nds_login_expiration_time« werden benutzt, um zu überprüfen, ob " +"Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" +"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« " +"»expire« enthalten <emphasis>muss</emphasis>, damit die Option " +"»ldap_account_expire_policy« funktioniert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (Ganzzahl)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte " +"sind erlaubt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: verwendet »ldap_access_filter«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1234 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -"Falls »ldap_schema« auf ein Format gesetzt ist, das verschachtelte Gruppen " -"(z.B. RFC2307bis) unterstützt, dann steuert diese Option, wie viele Stufen " -"tief SSSD der Verschachtelung folgt. Diese Option hat keine Auswirkungen auf " -"das Schema RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1244 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" -"Hinweis: Diese Option gibt die garantierte Tiefe verschachtelter Gruppen an, " -"die bei Suchvorgängen verarbeitet werden soll. Dennoch <emphasis>können</" -"emphasis> auch tiefer verschachtelte Gruppen einbezogen werden, falls bei " -"früheren Suchvorgängen die tieferen Ebenen bereits einmal berücksichtigt " -"wurden. Außerdem können folgende Suchvorgänge für andere Gruppen die " -"Ergebnisse des ursprünglichen Suchvorgangs vergrößern, wenn die Suche erneut " -"erfolgt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1251 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Voreinstellung: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: verwendet »ldap_account_expire_policy«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1272 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -"Diese Optionen aktivieren oder deaktivieren die Verwendung des Token-Gruppen-" -"Attributs, wenn »initgroup« für Benutzers des Active Directory Servers 2008 " -"und neuere Versionen ausgeführt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (Zeichenkette)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "die Objektklasse eines Netzgruppeneintrags in LDAP" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" -"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_object_class« benutzt " -"werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "Voreinstellung: nisNetgroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "das LDAP-Attribut, das dem Netzgruppennamen entspricht" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_name« benutzt werden." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." -msgstr "das LDAP-Attribut, das die Namen der Netzgruppenmitglieder enthält" +"<emphasis>authorized_service</emphasis>: verwendet das Attribut " +"»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" -"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_member« benutzt werden." +"<emphasis>host</emphasis>: verwendet das Attribut »host«, um zu bestimmen, " +"ob Zugriff gewährt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "Voreinstellung: memberNisNetgroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (Zeichenkette)" +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1312 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" -"das LDAP-Attribut, das die Netzgruppen-Triples (Rechner, Benutzer, Domain) " -"enthält" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." -msgstr "Diese Option ist für IPA-Anbieter nicht verfügbar." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Voreinstellung: filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Voreinstellung: nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (Zeichenkette)" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" +"Bitte beachten Sie, dass es ein Konfigurationsfehler ist, falls ein Wert " +"mehr als einmal benutzt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "Voreinstellung: ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" -msgstr "" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1350 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" +"gibt an, wie Alias-Dereferenzierung bei einer Suche erledigt wird. Die " +"folgenden Optionen sind erlaubt:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "" +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis>: Alias werden nie dereferenziert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" +"<emphasis>searching</emphasis>: Alias werden auf Unterebenen des " +"Basisobjekts dereferenziert, nicht jedoch beim Orten des Basisobjekts der " +"Suche." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" +"<emphasis>finding</emphasis>: Alias werden nur beim Orten des Basisobjekts " +"der Suche dereferenziert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" +"<emphasis>always</emphasis>: Alias werden sowohl bei der Suche als auch beim " +"Orten des Basisobjekts der Suche dereferenziert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" +"Voreinstellung: leer (Dies wird durch LDAP-Client-Bibliotheken wie " +"<emphasis>never</emphasis> gehandhabt.)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " -"Rechnerobjekte" +"ermöglich, lokale Anwender als Mitglieder einer LDAP-Gruppe für Server " +"beizubehalten, die das Schema RFC2307 benutzen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1389 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -"Informationen über das Konfigurieren mehrerer Suchgrundlagen finden Sie " -"unter »ldap_search_base«." +"In einigen Umgebungen, in denen das Schema RFC2307 verwendet wird, werden " +"lokale Benutzer zu Mitgliedern einer LDAP-Gruppe gemacht, indem ihre Namen " +"dem Attribut »memberUid« hinzugefügt werden. Die eigene Stimmigkeit der " +"Domain wird dabei kompromittiert, daher würde SSSD normalerweise »fehlende« " +"Anwender aus den zwischengespeicherten Gruppenmitgliedschaften entfernen, " +"sobald Nsswitch versucht, Informationen über den Anwender durch Aufrufen von " +"getpw*() oder initgroups() abzurufen." -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "Voreinstellung: der Wert von <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" +"Diese Option greift auf das Prüfen zurück, ob auf lokale Benutzer Bezug " +"genommen wird und speichert sie, so dass spätere Aufrufe von »initgroups() " +"die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Alle häufigen Konfigurationsoptionen, die für SSSD-Domains gelten, gelten " +"auch für LDAP-Domains. Umfassende Einzelheiten finden Sie im Abschnitt " +"»DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. <placeholder " +"type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." -msgstr "die Objektklasse eines Diensteintrags in LDAP" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "SUDO-OPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Detaillierte Anweisungen zur Konfiguration von sudo_provider finden Sie in " +"der Handbuchseite zu <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (Zeichenkette)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1449 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" -"das LDAP-Attribut, das die Namen von Dienstattributen und ihre Alias enthält" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (Zeichenkette)" +"wie viele Sekunden SSSD zwischen einer vollständigen Aktualisierung von Sudo-" +"Regeln warten wird (wodurch alle auf dem Server gespeicherten Regeln " +"heruntergeladen werden)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." -msgstr "das LDAP-Attribut, das den von diesem Dienst verwalteten Port enthält" +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"Der Wert muss größer als <emphasis>ldap_sudo_smart_refresh_interval</" +"emphasis> sein." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "Voreinstellung: ipServicePort" +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "Voreinstellung: 21600 (6 Stunden)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (Zeichenkette)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1468 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -"das LDAP-Attribut, das die von diesem Dienst verstandenen Protokolle enthält" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "Voreinstellung: ipServiceProtocol" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1474 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" -"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem LDAP-" -"Suchen laufen dürfen, bevor sie abgebrochen und die zwischengespeicherten " -"Ergebnisse zurückgegeben werden (und in den Offline-Modus gegangen wird)." +"Falls vom Server keine USN-Attribute unterstützt werden, wird stattdessen " +"das Attribut »modifyTimestamp« benutzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1478 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" -"Hinweis: Diese Option ist in zukünftigen Versionen von SSSD Gegenstand von " -"Änderungen. Sie wird wahrscheinlich an einigen Stellen durch Serien von " -"Zeitüberschreitungspunkten für spezielle Nachschlagetypen ersetzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (Ganzzahl)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" -"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem LDAP-" -"Suchen nach Benutzer- und Gruppenaufzählungen laufen dürfen, bevor sie " -"abgebrochen und die zwischengespeicherten Ergebnisse zurückgegeben werden " -"(und in den Offline-Modus gegangen wird)." +"Falls dies auf »true« gesetzt ist, wird SSSD nur die Regeln herunterladen, " +"die auf diese Maschine angewandt werden können (mittels der IPv4- oder IPv6-" +"Netzwerkadressen und Rechnernamen)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (Ganzzahl)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, nach dem " -"<citerefentry> <refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " -"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " -"<manvolnum>2</manvolnum> </citerefentry> gefolgt von einem <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> zurückkehrt, falls keine Aktivität stattfindet." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (Ganzzahl)" +"durch Leerzeichen getrennte Listen von Rechnernamen oder voll qualifizierten " +"Domain-Namen, die zum Filtern der Regeln benutzt werden sollen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1517 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (Ganzzahl)" +"Falls diese Option leer ist, wird SSSD versuchen, den Rechnernamen und den " +"voll qualifizierten Domain-Namen automatisch herauszufinden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem eine " -"Verbindung zu einem LDAP-Server aufrechterhalten wird. Nach dieser Zeit wird " -"die Verbindung erneut aufgebaut. Wird dies parallel zu SASL/GSSAPI benutzt, " -"wird der frühere der beiden Werte (dieser Wert gegenüber der TGT-" -"Lebensdauer) verwendet." +"Falls <emphasis>ldap_sudo_use_host_filter</emphasis> <emphasis>false</" +"emphasis> ist, hat diese Option keine Auswirkungen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "Voreinstellung: 900 (15 Minuten)" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" +msgstr "Voreinstellung: nicht angegeben" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (Ganzzahl)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1536 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -"gibt die Anzahl der Datensätze an, die in einer einzelnen Anfrage von LDAP " -"empfangen werden. Einige LDAP-Server erzwingen eine Begrenzung des Maximums " -"pro Anfrage." +"durch Kommata getrennte Liste von IPv4- oder IPv6-Rechner- beziehungsweise " +"Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Voreinstellung: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"Falls diese Option leer ist, wird SSSD versuchen, die Adressen automatisch " +"herauszufinden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (Boolesch)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1559 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"deaktiviert die Seitenadressierungssteuerung von LDAP. Diese Option sollte " -"benutzt werden, falls der LDAP-Server meldet, dass er die LDAP-" -"Seitenadressierungssteuerung in seinem RootDSE unterstützt, sie jedoch " -"deaktiviert ist oder sich nicht ordnungsgemäß verhält." +"Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die " +"eine Netzgruppe im Attribut »sudoHost« enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1577 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"Beispiel: OpenLDAP-Server, bei denen das Seitenadressierungssteuerungsmodul " -"installiert, aber nicht aktiviert ist, werden es im RootDSE melden, sind " -"aber nicht in der Lage, es zu benutzen." +"Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die " +"einen Platzhalter im Attribut »sudoHost« enthält." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -"Beispiel: 389 DS hat einen Fehler, durch den es gleichzeitig nur eine " -"einzige Seitenadressierungssteuerung für eine einzelne Verbindung benutzen " -"kann. Bei ausgelasteten Clients kann dies dazu führen, dass manche Anfragen " -"abgelehnt werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Diese Handbuchseite beschreibt nur das Abbilden von Attributnamen. Eine " +"umfassende Erklärung der Sudo-bezogenen Attributsemantik finden Sie unter " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "deaktiviert die Bereichsabfrage von Active Directory" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "AUTOFS-OPTIONEN" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" -"Active Directory begrenzt die Anzahl der Mitglieder, die in einem einzigen " -"Nachschlagen mittels der MaxValRange-Richtlinie empfangen werden können (die " -"Voreinstellung sind 1.500 Mitglieder). Falls eine Gruppe mehr Mitglieder " -"enthält, wird die Antwort eine AD-spezifische Bereichserweiterung enthalten. " -"Diese Option deaktiviert das Auswerten der Bereichserweiterung, daher wird " -"es so aussehen, als ob große Gruppen keine Mitglieder hätten." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (Ganzzahl)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." -msgstr "" -"Wenn mittels SASL mit einem LDAP-Server kommuniziert wird, gibt dies die " -"mindestens nötige Sicherheitsstufe zum Herstellen der Verbindung an. Die " -"Werte dieser Option werden durch OpenLDAP definiert." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." +msgstr "Der Name der Automount-Master-Abbildung in LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" -msgstr "" -"Voreinstellung: verwendet die Voreinstellungen des System (normalerweise in " -"»ldap.conf« angegeben)" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "Voreinstellung: auto.master" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "ERWEITERTE OPTIONEN" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (Ganzzahl)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -"gibt die Anzahl der Gruppenmitglieder an, die aus dem internen " -"Zwischenspeicher fehlen muss, um ein dereferenzierendes Nachschlagen " -"auszulösen. Falls weniger Mitglieder fehlen, werden sie individuell " -"nachgeschlagen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -"Dereferenzierendes Nachschlagen ist ein Mittel, um alle Gruppenmitglieder in " -"einem einzigen LDAP-Aufruf abzuholen. Verschiedene LDAP-Server können " -"unterschiedliche Methoden zum Dereferenzieren implementieren. Die derzeit " -"unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." -msgstr "" -"<emphasis>Hinweis:</emphasis> Falls eine der Suchgrundlagen einen Suchfilter " -"angibt, wird die Verbesserung der Leistung beim dereferenzierenden " -"Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (Zeichenkette)" +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -"gibt an, welche Prüfungen von Server-Zertifikaten in einer TLS-Sitzung " -"durchgeführt werden, falls vorhanden. Dies kann in Form einer der folgenden " -"Werte angegeben werden:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "BEISPIEL" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -"<emphasis>never</emphasis> = Der Client wird kein Server-Zertifikat prüfen " -"oder anfordern." +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " +"LDAP auf eine der Domains im Abschnitt <replaceable>[domains]</replaceable> " +"gesetzt ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"<emphasis>allow</emphasis> = Das Server-Zertifikat wird angefordert. Falls " -"kein Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls " -"ein ungültiges Zertifikat bereitgestellt wird, wird es ignoriert und die " -"Sitzung fährt normal fort." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -"<emphasis>try</emphasis> = Das Server-Zertifikat wird angefordert. Falls das " -"Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls ein " -"ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -"<emphasis>demand</emphasis> = Das Server-Zertifikat wird angefordert. Falls " -"kein oder ein ungültiges Zertifikat bereitgestellt wird, wird die Sitzung " -"sofort beendet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> = entspricht »demand«" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Voreinstellung: hard" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"gibt die Datei an, die Zertifikate für alle Zertifizierungstellen enthält, " -"die <command>sssd</command> erkennen wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "ANMERKUNGEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -"Voreinstellung: verwendet OpenLDAP-Voreinstellungen, normalerweise aus " -"<filename>/etc/openldap/ldap.conf</filename>" +"Die Beschreibungen einiger Konfigurationsoptionen auf dieser Handbuchseite " +"basieren auf der Handbuchseite <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> der Distribution " +"OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (Zeichenkette)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "PAM-Modul für SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -"gibt den Pfad eines Verzeichnisses an, das Zertifikate von " -"Zertifizierungstellen in separaten individuellen Dateien enthält. Die " -"Dateinamen sollen normalerweise ein Hash-Wert des Zertifikats gefolgt von " -"».0« sein. Falls verfügbar, kann <command>cacertdir_rehash</command> zum " -"Erstellen der korrekten Namen verwendet werden." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -"gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält." +"<command>pam_sss.so</command> ist die PAM-Schnittstelle des " +"Systemsicherheitsdienst-Daemons (»System Security Services daemon«/SSSD). " +"Fehler und Ergebnisse werden durch <command>syslog(3)</command> mit der " +"Fertigkeit LOG_AUTHPRIV protokolliert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "gibt die Datei an, die den Schlüssel des Clients enthält." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "unterdrückt Protokollnachrichten für unbekannte Benutzer" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" +"Falls <option>forward_pass</option> gesetzt ist, wird das eingegebene " +"Passwort in den Stapelverabeitungsspeicher gelegt, damit andere PAM-Module " +"es nutzen können." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -"gibt an, dass die Verbindung »id_provider« auch <systemitem class=\"protocol" -"\">tls</systemitem> benutzen muss, um den Kanal abzusichern." +"Das Argument »use_first_pass« zwingt das Modul ein vorher im " +"Stapelverabeitungsspeicher abgelegtes Passwort zu benutzen. Es wird den " +"Anwender nie fragen. Falls kein Passwort verfügbar oder das Passwort " +"ungeeignet ist, wird dem Benutzer der Zugriff verwehrt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -"gibt an, dass SSSD versuchen soll, die Benutzer- und Gruppen-ID von den " -"Attributen »ldap_user_objectsid« und »ldap_group_objectsid« abzubilden, " -"statt sich auf »ldap_user_uid_number« und »ldap_group_gid_number« zu " -"verlassen." +"Wenn das Passwort geändert wird, erzwingt das Modul, dass das neue Passwort " +"von einem vorher im Stapelverabeitungsspeicher abgelegten Passwortmodul " +"bereitgestellt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." -msgstr "" -"Derzeit unterstützt diese Funktionalität nur das Abbilden von Active-" -"Directory-ObjectSIDs." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" +"Ist dies angegeben, wird der Benutzer weitere N mal nach einem Passwort " +"gefragt, falls die Authentifizierung fehlschlägt. Voreinstellung ist 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -"Im Gegensatz zum SID-basierten ID-Abbilden, das benutzt wird, falls " -"»ldap_id_mapping« auf »true« gesetzt ist, ist der erlaubte ID-Bereich für " -"»ldap_user_uid_number« und »ldap_group_gid_number« offen. In einer " -"Konfiguration mit Unter-Domains und vertrauenswürdigen Domains könnte dies " -"zu ID-Kollisionen führen. Um Kollisionen zu vermeiden, können »ldap_min_id« " -"und »ldap_max_id« zum Begrenzen des erlaubten Bereichs für direkt vom Server " -"gelesene IDs verwendet werden. Unter-Domains können dann andere Bereiche zur " -"Abbildung von IDs wählen." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" -msgstr "Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt)" +"Bitte beachten Sie, dass diese Option möglicherweise nicht wie erwartet " +"funktioniert, falls eine Anwendung, die PAM aufruft, den Benutzerdialog " +"selbst abwickelt. Ein typisches Beispiel ist <command>sshd</command> mit " +"<option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" +"Falls diese Option angegeben ist, aber der Benutzer nicht existiert, gibt " +"das PAM-Modul den Wert PAM_IGNORE zurück. Dies hat zur Folge, dass das PAM-" +"Framework dieses Modul ignoriert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" +"Gibt an, dass das PAM-Modul PAM_IGNORE zurückgeben soll, falls der SSSD-" +"Daemon nicht kontaktiert werden kann. Dies hat zur Folge, dass das PAM-" +"Framework dieses Modul ignoriert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "Voreinstellung Rechner/MeinRechner@BEREICH" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -"gibt den SASL-Realm an, der benutzt werden soll. Wurde diese Option nicht " -"angegeben, ist die Voreinstellung der Wert von »krb5_realm«. Falls " -"»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "Voreinstellung: der Wert von »krb5_realm«" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (Boolesch)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -"Falls dies auf »true« gesetzt wäre, würde die LDAP-Bibliothek ein " -"umgekehrtes Nachschlagen durchführen, um den Rechnernamen während eines SASL-" -"Bind in eine kanonische Form zu bringen." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Voreinstellung: false;" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -"Voreinstellung: Keytab des Systems, normalerweise <filename>/etc/krb5." -"keytab</filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (Boolesch)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Voreinstellung: 86400 (24 Stunden)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -"gibt die durch Kommata getrennte Liste von IP-Adressen bzw. Rechnernamen von " -"Kerberos-Servern in der Reihenfolge an, in der sich SSSD mit ihnen verbinden " -"soll. Weitere Informationen über Ausfallsicherung und Redundanz finden Sie " -"im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder Rechnernamen kann eine " -"optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt " -"werden. Falls dies leer gelassen wurde, wird die Dienstsuche aktiviert. " -"Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Wenn die Dienstsuche für Schlüsselverwaltungszentralen- (KDC) oder Kpasswd-" -"Server benutzt wird, durchsucht SSSD zuerst die DNS-Einträge, die_udp als " -"Protokoll angeben. Falls keine gefunden werden, weicht es auf _tcp aus." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -"Diese Option hieß in früheren Veröffentlichungen von SSSD »krb5_kdcip«. " -"Obwohl der alte Name einstweilen noch in Erinnerung ist, wird Anwendern " -"geraten, ihre Konfigurationsdateien auf die Verwendung von »krb5_server« zu " -"migrieren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "BEREITGESTELLTE MODULTYPEN" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" +"Alle Modultypen (<option>account</option>, <option>auth</option>, " +"<option>password</option> und <option>session</option>) werden " +"bereitgestellt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -"Voreinstellung: Systemvoreinstellungen, siehe <filename>/etc/krb5.conf</" -"filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "DATEIEN" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"gibt an, ob der Host Principal beim Verbinden mit einem LDAP-Server in eine " -"kanonische Form gebracht werden soll. Diese Funktionalität ist mit MIT " -"Kerberos >= 1.7 verfügbar." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (Boolesch)" +"Falls ein Zurücksetzen des Passworts durch Root fehlschlägt, weil der " +"zugehörige SSSD-Anbieter das Zurücksetzen von Passwörtern nicht unterstützt, " +"kann eine individuelle Nachricht angezeigt werden. Diese Nachricht kann z.B. " +"Anweisungen enthalten, wie ein Passwort zurückgesetzt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"gibt an, ob SSSD die Kerberos-Bibliotheken anweisen soll, welcher Realm und " -"welche Schlüsselverwaltungszentralen (KDCs) benutzt werden sollen. Diese " -"Option ist standardmäßig eingeschaltet. Falls Sie sie ausschalten, müssen " -"Sie die Kerberos-Bibliothek mittels der Konfigurationsdatei " -"<citerefentry><refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> einrichten." +"Die Nachricht wird aus der Datei <filename>pam_sss_pw_reset_message.LOC</" +"filename> gelesen, wobei LOC für eine durch <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry> zurückgegebene Zeichenkette steht. Falls dort keine passende " +"Datei ist, wird der Inhalt von <filename>pam_sss_pw_reset_message.txt</" +"filename> angezeigt. Root muss der Besitzer der Dateien sein und nur Root " +"kann Lese- und Schreibrechte haben, während alle anderen Anwender nur " +"Leserechte haben dürfen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -"Weitere Informationen über die Locator-Erweiterung finden Sie auf der " -"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." +"Diese Dateien werden im Verzeichnis <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename> gesucht. Falls keine passende Datei vorhanden ist, " +"wird eine allgemeine Nachricht angezeigt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (Zeichenkette)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Kerberos Locator-Plugin" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -"wählt das Regelwerk, anhand dessen das Client-seitige Erlöschen des " -"Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -"<emphasis>none</emphasis> – keine Client-seitige Abschätzung. Diese Option " -"kann keine Server-seitigen Passwortregelwerke deaktivieren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -"<emphasis>shadow</emphasis> – benutzt Attribute im Stil von " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>, um abzuschätzen, ob das Passwort erloschen ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -"<emphasis>mit_kerberos</emphasis> – verwendet die von MIT Kerberos benutzten " -"Attribute, um zu bestimmen, ob das Passwort erloschen ist. Verwenden Sie " -"»chpass_provider=krb5«, um diese Attribute zu aktualisieren, wenn das " -"Passwort geändert wurde." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -"<emphasis>Hinweis</emphasis>: Falls serverseitig eine Passwortregel " -"konfiguriert ist, hat diese stets Vorrang vor der mit dieser Option " -"festgelegten Regel." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." -msgstr "gibt an, ob automatische Verweisverfolgung aktiviert werden soll." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -"Bitte beachten Sie, dass SSSD nur Verweisverfolgung unterstützt, falls es " -"mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -"Verweisverfolgungen können in Umgebungen, die ausgiebig von ihnen Gebrauch " -"machen, einen Leistungsnachteil erleiden, ein beachtenswertes Beispiel ist " -"Microsoft Active Directory. Falls ihre Installation Verweisverfolgungen " -"nicht tatsächlich benötigt, könnte diese Option auf »false« zu setzen eine " -"merkliche Leistungsverbesserung bringen." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -"gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Voreinstellung: ldap" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -"gibt den Dienstnamen an, der zum Finden eines LDAP-Servers benutzt werden " -"soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht." +"Nicht alle Kerberos-Implementierungen unterstützen die Verwendung von " +"Erweiterungen. Falls <command>sssd_krb5_locator_plugin</command> nicht auf " +"Ihrem System vorhanden ist, müssen Sie /etc/krb5.conf bearbeiten, damit sie " +"Ihre Kerberos-Einrichtung widerspiegelt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" -msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" +"Falls die Umgebungsvariable SSSD_KRB5_LOCATOR_DEBUG auf irgendeinen Wert " +"gesetzt ist, werden Debug-Nachrichten an »stderr« gesandt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -"gibt an, ob das Attribut »ldap_user_shadow_last_change« nach einer " -"Passwortänderung mit Unix-Zeit geändert wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (Zeichenkette)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" +"die Konfigurationsdatei für den »einfachen« Zugriffssteuerungsanbieter von " +"SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des einfachen " +"Zugriffssteuerungsanbieters für <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. Eine ausführliche " +"Syntax-Referenz finden Sie im Abschnitt »DATEIFORMAT« der Handbuchseite " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -"Falls access_provider = ldap und ldap_access_order = filter ist " -"(Voreinstellung), dann ist diese Option obligatorisch. Sie gibt ein " -"Suchfilterkriterium für LDAP an, dass auf den Benutzer passen muss, damit " -"diesem Zugriff auf den Host gewährt wird. Falls access_provider = ldap und " -"ldap_access_order = filter ist und diese Option nicht gesetzt ist, wird " -"allen Benutzern der Zugriff verweigert. Verwenden Sie access_provider = " -"permit, um dieses Standardverhalten zu ändern. Bitte beachten Sie, dass " -"dieser Filter nur auf den LDAP-Benutzereintrag angewendet wird und daher die " -"auf verschachtelten Gruppen basierende Filterung nicht funktioniert. " -"Beispielsweise zeigt das Active-Directory-Attribut »memberOf« nur auf die " -"unmittelbaren Eltern. Falls die Filterung basierend auf verschachtelten " -"Gruppen erforderlich sein sollte, finden Sie genauere Anweisungen in der " -"Handbuchseite zu <citerefentry> <refentrytitle>sssd-simple</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." +"Der einfache Zugriffsanbieter gewährt oder verweigert den Zugriff auf Basis " +"einer Zugriffs- oder Verbotsliste von Benutzer- oder Gruppennamen. Es gelten " +"die folgenden Regeln:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Beispiel:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Falls alle Listen leer sind, wird Zugriff gewährt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"Falls irgendeine Liste bereitgestellt wird, ist die Reihenfolge der " +"Auswertung »erlauben,verbieten«. Das heißt, dass eine passende verbietende " +"Regeln jede passende erlaubende Regel ersetzt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -"In diesem Beispiel wird der Zugriff auf diesen Host auf jene Benutzer " -"beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist." +"Falls eine oder beide »Erlaubnislisten« bereitgestellt werden, ist der " +"Zugriff allen Benutzern verboten, sofern sie nicht auf der Liste erscheinen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" +"Falls nur »Verbotslisten« bereitgestellt werden, wird der Zugriff allen " +"Benutzern gewährt, sofern sie nicht auf der Liste stehen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "Voreinstellung: leer" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "Durch Kommata getrennte Liste von Benutzern, die sich anmelden dürfen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (Zeichenkette)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" -"Mit dieser Option kann eine Client-seitige Abschätzung der " -"Zugriffssteuerungsattribute aktiviert werden." +"Durch Kommata getrennte Liste von Benutzern, denen der Zugriff explizit " +"verwehrt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -"Bitte beachten Sie, dass die Server-seitige Zugriffssteuerung generell " -"empfohlen wird, d.h. der LDAP-Server sollte die Bind-Abfrage sogar dann mit " -"einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist." +"Durch Kommata getrennte Liste von Gruppen, die sich anmelden dürfen. Dies " +"gilt nur für Gruppen innerhalb dieser SSSD-Domain. Lokale Gruppen werden " +"nicht ausgewertet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "Die folgenden Werte sind erlaubt:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -"<emphasis>shadow</emphasis>: verwendet den Wert von " -"»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist." +"Durch Kommata getrennte Liste von Gruppen, denen der Zugriff explizit " +"verwehrt wird. Dies gilt nur für Gruppen innerhalb dieser SSSD-Domain. " +"Lokale Gruppen werden nicht ausgewertet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 -msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<emphasis>ad</emphasis>: verwendet den Wert des 32-Bit-Felds " -"»ldap_user_ad_user_account_control« und ermöglicht den Zugriff, falls das " -"zweite Bit nicht gesetzt ist. Falls das Attribut fehlt, wird Zugriff " -"gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft." +"Einzelheiten über die Konfiguration einer SSSD-Domain finden Sie im " +"Abschnitt »DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: verwenden den Wert von »ldap_ns_account_lock«, um zu prüfen, ob " -"Zugriff erlaubt wird oder nicht." +"Keine Werte für eine der Listen anzugeben ist so, als ob sie ganz " +"übersprungen würde. Hüten Sie sich davor, solange Parameter für den " +"einfachen Anbieter mittels automatischer Skripte erzeugt werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -"<emphasis>nds</emphasis>: Die Werte von " -"»ldap_user_nds_login_allowed_time_map«, »ldap_user_nds_login_disabled« und " -"»ldap_user_nds_login_expiration_time« werden benutzt, um zu überprüfen, ob " -"Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt." +"Bitte beachten Sie, das es ein Konfigurationsfehler ist, wenn sowohl " +"»simple_allow_users« als auch »simple_deny_users« definiert sind." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« " -"»expire« enthalten <emphasis>muss</emphasis>, damit die Option " -"»ldap_account_expire_policy« funktioniert." +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " +"example.com eine der im Abschnitt <replaceable>[sssd]</replaceable> " +"erwähnten Domains ist. Die Beispiele zeigen nur die anbieterspezifischen " +"Optionen des einfachen Anbieters." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -"durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte " -"sind erlaubt:" +"Die vollständige Hierarchie der Gruppenmitgliedschaft wird aufgelöst, bevor " +"die Zugriffsprüfung ausgeführt wird. Daher können selbst verschachtelte " +"Gruppen Teil der Zugriffslisten werden. Bitte beachten Sie, dass die Option " +"<quote>ldap_group_nesting_level</quote> die Ergebnisse beeinflussen kann und " +"daher auf einen ausreichenden Wert gesetzt werden sollte. Siehe " +"(<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filter</emphasis>: verwendet »ldap_access_filter«." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "<emphasis>expire</emphasis>: verwendet »ldap_account_expire_policy«." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -"<emphasis>authorized_service</emphasis>: verwendet das Attribut " -"»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -"<emphasis>host</emphasis>: verwendet das Attribut »host«, um zu bestimmen, " -"ob Zugriff gewährt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Voreinstellung: filter" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -"Bitte beachten Sie, dass es ein Konfigurationsfehler ist, falls ein Wert " -"mehr als einmal benutzt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -"gibt an, wie Alias-Dereferenzierung bei einer Suche erledigt wird. Die " -"folgenden Optionen sind erlaubt:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." -msgstr "<emphasis>never</emphasis>: Alias werden nie dereferenziert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -"<emphasis>searching</emphasis>: Alias werden auf Unterebenen des " -"Basisobjekts dereferenziert, nicht jedoch beim Orten des Basisobjekts der " -"Suche." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -"<emphasis>finding</emphasis>: Alias werden nur beim Orten des Basisobjekts " -"der Suche dereferenziert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -"<emphasis>always</emphasis>: Alias werden sowohl bei der Suche als auch beim " -"Orten des Basisobjekts der Suche dereferenziert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -"Voreinstellung: leer (Dies wird durch LDAP-Client-Bibliotheken wie " -"<emphasis>never</emphasis> gehandhabt.)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -"ermöglich, lokale Anwender als Mitglieder einer LDAP-Gruppe für Server " -"beizubehalten, die das Schema RFC2307 benutzen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -"In einigen Umgebungen, in denen das Schema RFC2307 verwendet wird, werden " -"lokale Benutzer zu Mitgliedern einer LDAP-Gruppe gemacht, indem ihre Namen " -"dem Attribut »memberUid« hinzugefügt werden. Die eigene Stimmigkeit der " -"Domain wird dabei kompromittiert, daher würde SSSD normalerweise »fehlende« " -"Anwender aus den zwischengespeicherten Gruppenmitgliedschaften entfernen, " -"sobald Nsswitch versucht, Informationen über den Anwender durch Aufrufen von " -"getpw*() oder initgroups() abzurufen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -"Diese Option greift auf das Prüfen zurück, ob auf lokale Benutzer Bezug " -"genommen wird und speichert sie, so dass spätere Aufrufe von »initgroups() " -"die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -"Alle häufigen Konfigurationsoptionen, die für SSSD-Domains gelten, gelten " -"auch für LDAP-Domains. Umfassende Einzelheiten finden Sie im Abschnitt " -"»DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. <placeholder " -"type=\"variablelist\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "SUDO-OPTIONEN" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -"Detaillierte Anweisungen zur Konfiguration von sudo_provider finden Sie in " -"der Handbuchseite zu <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." -msgstr "die Objektklasse eines Sudo-Regeleintrags in LDAP" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "Voreinstellung: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." -msgstr "das LDAP-Attribut, das dem Namen der Sudo-Regel entspricht" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "das LDAP-Attribut, das dem Namen des Befehls entspricht" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "Voreinstellung: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -"das LDAP-Attribut, das dem Rechnernamen (oder der IP-Adresse, dem IP-" -"Netzwerk oder des Netzwerkgruppe des Rechners) entspricht" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "Voreinstellung: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -"das LDAP-Attribut, das dem Benutzernamen (oder der UID, dem Gruppennamen " -"oder der Netzwerkgruppe des Benutzers) entspricht" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "Voreinstellung: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." -msgstr "das LDAP-Attribut, das den Sudo-Optionen entspricht" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "Voreinstellung: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -"das LDAP-Attribut, das dem Benutzernamen entspricht, unter dem Befehle " -"ausgeführt werden können" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "Voreinstellung: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -"das LDAP-Attribut, das dem Gruppennamen oder der GID der Gruppe entspricht, " -"worunter Befehle ausgeführt werden können" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "Voreinstellung: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -"das LDAP-Attribut, das dem Startdatum und der Startzeit entpricht, wann die " -"Sudo-Regel gültig wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "Voreinstellung: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -"das LDAP-Attribut, das dem Ablaufdatum und der Ablaufzeit entspricht, nach " -"der die Sudo-Regel nicht länger gültig ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "Voreinstellung: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." -msgstr "das LDAP-Attribut, das dem Reihenfolgenindex der Regel entspricht" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "Voreinstellung: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -"wie viele Sekunden SSSD zwischen einer vollständigen Aktualisierung von Sudo-" -"Regeln warten wird (wodurch alle auf dem Server gespeicherten Regeln " -"heruntergeladen werden)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -"Der Wert muss größer als <emphasis>ldap_sudo_smart_refresh_interval</" -"emphasis> sein." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "Voreinstellung: 21600 (6 Stunden)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -"Falls vom Server keine USN-Attribute unterstützt werden, wird stattdessen " -"das Attribut »modifyTimestamp« benutzt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -"Falls dies auf »true« gesetzt ist, wird SSSD nur die Regeln herunterladen, " -"die auf diese Maschine angewandt werden können (mittels der IPv4- oder IPv6-" -"Netzwerkadressen und Rechnernamen)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -"durch Leerzeichen getrennte Listen von Rechnernamen oder voll qualifizierten " -"Domain-Namen, die zum Filtern der Regeln benutzt werden sollen" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -"Falls diese Option leer ist, wird SSSD versuchen, den Rechnernamen und den " -"voll qualifizierten Domain-Namen automatisch herauszufinden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -"Falls <emphasis>ldap_sudo_use_host_filter</emphasis> <emphasis>false</" -"emphasis> ist, hat diese Option keine Auswirkungen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "Voreinstellung: nicht angegeben" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -"durch Kommata getrennte Liste von IPv4- oder IPv6-Rechner- beziehungsweise " -"Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -"Falls diese Option leer ist, wird SSSD versuchen, die Adressen automatisch " -"herauszufinden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "ldap_sudo_include_netgroups (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -"Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die " -"eine Netzgruppe im Attribut »sudoHost« enthält." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die " -"einen Platzhalter im Attribut »sudoHost« enthält." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -"Diese Handbuchseite beschreibt nur das Abbilden von Attributnamen. Eine " -"umfassende Erklärung der Sudo-bezogenen Attributsemantik finden Sie unter " -"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "AUTOFS-OPTIONEN" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" -msgstr "ldap_autofs_map_master_name (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." -msgstr "Der Name der Automount-Master-Abbildung in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" -msgstr "Voreinstellung: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." -msgstr "die Objektklasse eines Automount-Abbildungseintrags in LDAP" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." -msgstr "der Name eines Automount-Abbildungseintrags in LDAP" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -"der Schlüssel eines Automount-Eintrags in LDAP. Normalerweise entspricht der " -"Eintrag einem Einhängepunkt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "ERWEITERTE OPTIONEN" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "BEISPIEL" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " -"LDAP auf eine der Domains im Abschnitt <replaceable>[domains]</replaceable> " -"gesetzt ist." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "ANMERKUNGEN" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -"Die Beschreibungen einiger Konfigurationsoptionen auf dieser Handbuchseite " -"basieren auf der Handbuchseite <citerefentry> <refentrytitle>ldap.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> der Distribution " -"OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "PAM-Modul für SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -"<command>pam_sss.so</command> ist die PAM-Schnittstelle des " -"Systemsicherheitsdienst-Daemons (»System Security Services daemon«/SSSD). " -"Fehler und Ergebnisse werden durch <command>syslog(3)</command> mit der " -"Fertigkeit LOG_AUTHPRIV protokolliert." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "unterdrückt Protokollnachrichten für unbekannte Benutzer" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -"Falls <option>forward_pass</option> gesetzt ist, wird das eingegebene " -"Passwort in den Stapelverabeitungsspeicher gelegt, damit andere PAM-Module " -"es nutzen können." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 -msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -"Das Argument »use_first_pass« zwingt das Modul ein vorher im " -"Stapelverabeitungsspeicher abgelegtes Passwort zu benutzen. Es wird den " -"Anwender nie fragen. Falls kein Passwort verfügbar oder das Passwort " -"ungeeignet ist, wird dem Benutzer der Zugriff verwehrt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -"Wenn das Passwort geändert wird, erzwingt das Modul, dass das neue Passwort " -"von einem vorher im Stapelverabeitungsspeicher abgelegten Passwortmodul " -"bereitgestellt wird." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 -msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -"Ist dies angegeben, wird der Benutzer weitere N mal nach einem Passwort " -"gefragt, falls die Authentifizierung fehlschlägt. Voreinstellung ist 0." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Bitte beachten Sie, dass diese Option möglicherweise nicht wie erwartet " -"funktioniert, falls eine Anwendung, die PAM aufruft, den Benutzerdialog " -"selbst abwickelt. Ein typisches Beispiel ist <command>sshd</command> mit " -"<option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" -msgstr "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -"Falls diese Option angegeben ist, aber der Benutzer nicht existiert, gibt " -"das PAM-Modul den Wert PAM_IGNORE zurück. Dies hat zur Folge, dass das PAM-" -"Framework dieses Modul ignoriert." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" -msgstr "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "SSSD IPA-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Gibt an, dass das PAM-Modul PAM_IGNORE zurückgeben soll, falls der SSSD-" -"Daemon nicht kontaktiert werden kann. Dies hat zur Folge, dass das PAM-" -"Framework dieses Modul ignoriert." +"Diese Handbuchseite beschreibt die Konfiguration des IPA-Anbieters für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" +"Der IPA-Anbieter ist ein Backend, das zum Verbinden mit einem IPA-Server " +"benutzt wird. (Informationen über IPA-Server finden Sie auf der Website " +"»freeipa.org«.) Dieser Anbieter erfordert, dass der Rechner einer IPA-Domain " +"beitritt. Die Konfiguration wird nahezu vollständig selbst ermittelt und " +"direkt vom Server genommen." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" +"Der IPA-Anbieter wird den PAC-Responder benutzen, falls die Kerberos-Tickets " +"von Anwendern vertrauenswürdiger Realms ein PAC enthalten. Um die " +"Konfiguration zu vereinfachen, wird der PAC-Responder automatisch gestartet, " +"falls der IPA-ID-Anbieter konfiguriert ist." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" +"gibt den Namen der IPA-Domain an. Dies ist optional. Ist er nicht angegeben, " +"wird der Domain-Name der Konfiguration benutzt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" +"Die durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen der IPA-" +"Server in der Reihenfolge, in der sich SSSD mit ihnen verbinden soll. " +"Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im " +"Abschnitt »AUSFALLSICHERUNG«. Falls automatisches Auffinden aktiviert ist, " +"ist dies optional. Weitere Informationen finden Sie im Abschnitt " +"»DIENSTSUCHE«." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" +"HINWEIS: Auf älteren Systemen (wie RHEL 5) muss der Standard-Kerberos-Realm " +"ordentlich in /etc/krb5.conf gesetzt sein, damit dies zuverlässig " +"funktioniert." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" +"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " +"<emphasis>ipa_dyndns_update</emphasis> zu benutzen, sollten Anwender auf die " +"Verwendung von <emphasis>dyndns_update</emphasis> in ihrer " +"Konfigurationsdatei migrieren." -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "BEREITGESTELLTE MODULTYPEN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -"Alle Modultypen (<option>account</option>, <option>auth</option>, " -"<option>password</option> und <option>session</option>) werden " -"bereitgestellt." +"die TTL, die beim Aktualisieren auf den Client-DNS-Datensatz angewandt wird. " +"Falls »dyndns_update« »false« ist, hat dies keine Auswirkungen. Diese wird " +"die Server-seitige TTL außer Kraft setzen, falls diese durch einen " +"Administrator gesetzt wurde." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" +"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " +"<emphasis>ipa_dyndns_ttl</emphasis> zu benutzen, sollten Anwender auf die " +"Verwendung von <emphasis>dyndns_ttl</emphasis> in ihrer Konfigurationsdatei " +"migrieren." -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "DATEIEN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Voreinstellung: 1200 (Sekunden)" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -"Falls ein Zurücksetzen des Passworts durch Root fehlschlägt, weil der " -"zugehörige SSSD-Anbieter das Zurücksetzen von Passwörtern nicht unterstützt, " -"kann eine individuelle Nachricht angezeigt werden. Diese Nachricht kann z.B. " -"Anweisungen enthalten, wie ein Passwort zurückgesetzt wird." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -"Die Nachricht wird aus der Datei <filename>pam_sss_pw_reset_message.LOC</" -"filename> gelesen, wobei LOC für eine durch <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry> zurückgegebene Zeichenkette steht. Falls dort keine passende " -"Datei ist, wird der Inhalt von <filename>pam_sss_pw_reset_message.txt</" -"filename> angezeigt. Root muss der Besitzer der Dateien sein und nur Root " -"kann Lese- und Schreibrechte haben, während alle anderen Anwender nur " -"Leserechte haben dürfen." +"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " +"<emphasis>ipa_dyndns_iface</emphasis> zu benutzen, sollten Anwender auf die " +"Verwendung von <emphasis>dyndns_iface</emphasis> in ihrer " +"Konfigurationsdatei migrieren." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -"Diese Dateien werden im Verzeichnis <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename> gesucht. Falls keine passende Datei vorhanden ist, " -"wird eine allgemeine Nachricht angezeigt." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" -msgstr "Kerberos Locator-Plugin" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 -msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (Boolesch)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "aktiviert DNS-Sites – standortbasierte Dienstsuche" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" +"Ist dies »true« und die Dienstsuche aktiviert (siehe den Abschnitt " +"Dienstsuche am Ende der Handbuchseite), dann wird SSSD zuerst versuchen, " +"eine standortbasierte Suche mittels einer Abfrage, die »_location.hostname." +"example.com« enthält, durchzuführen und dann auf die traditionelle SRV-Suche " +"zurückgreifen. Falls die standortbasierte Suche erfolgreich ist, werden die " +"georteten IPA-Server, die mit der standortbasierten Suche gefunden wurden, " +"als primäre Server betrachtet und die mit der traditionellen SRV-Suche " +"gefundenen als Sicherungsserver." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" +"wie oft das Backend periodische DNS-Aktualisierungen zusätzlich zur " +"automatisch beim Online-Gehen durchgeführten Aktualisierung vornehmen soll. " +"Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" +"ob der PTR-Datensatz ebenfalls explizit aktualisiert werden soll, wenn die " +"DNS-Datensätze des Clients aktualisiert werden; nur anwendbar, wenn " +"»dyndns_update« »true« ist" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" +"Diese Option sollte in den meisten IPA-Bereitstellungen »False« sein, da der " +"IPA-Server die PTR-Datensätze automatisch erzeugt, wenn sich " +"Weiterleitungsdatensätze ändern." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." -msgstr "" -"Nicht alle Kerberos-Implementierungen unterstützen die Verwendung von " -"Erweiterungen. Falls <command>sssd_krb5_locator_plugin</command> nicht auf " -"Ihrem System vorhanden ist, müssen Sie /etc/krb5.conf bearbeiten, damit sie " -"Ihre Kerberos-Einrichtung widerspiegelt." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Voreinstellung: False (deaktiviert)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -"Falls die Umgebungsvariable SSSD_KRB5_LOCATOR_DEBUG auf irgendeinen Wert " -"gesetzt ist, werden Debug-Nachrichten an »stderr« gesandt." +"ob das Hilfswerkzeug Nsupdate standardmäßig TCP zur Kommunikation mit dem " +"DNS-Server verwenden soll" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -"die Konfigurationsdatei für den »einfachen« Zugriffssteuerungsanbieter von " -"SSSD" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -"Diese Handbuchseite beschreibt die Konfiguration des einfachen " -"Zugriffssteuerungsanbieters für <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. Eine ausführliche " -"Syntax-Referenz finden Sie im Abschnitt »DATEIFORMAT« der Handbuchseite " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -"Der einfache Zugriffsanbieter gewährt oder verweigert den Zugriff auf Basis " -"einer Zugriffs- oder Verbotsliste von Benutzer- oder Gruppennamen. Es gelten " -"die folgenden Regeln:" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Falls alle Listen leer sind, wird Zugriff gewährt." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -"Falls irgendeine Liste bereitgestellt wird, ist die Reihenfolge der " -"Auswertung »erlauben,verbieten«. Das heißt, dass eine passende verbietende " -"Regeln jede passende erlaubende Regel ersetzt." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 -msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -"Falls eine oder beide »Erlaubnislisten« bereitgestellt werden, ist der " -"Zugriff allen Benutzern verboten, sofern sie nicht auf der Liste erscheinen." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -"Falls nur »Verbotslisten« bereitgestellt werden, wird der Zugriff allen " -"Benutzern gewährt, sofern sie nicht auf der Liste stehen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Voreinstellung: verwendet Basis-DN" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (Zeichenkette)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." -msgstr "Durch Kommata getrennte Liste von Benutzern, die sich anmelden dürfen." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für HBAC-" +"bezogene Objekte" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (Zeichenkette)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -"Durch Kommata getrennte Liste von Benutzern, denen der Zugriff explizit " -"verwehrt wird." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (Zeichenkette)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -"Durch Kommata getrennte Liste von Gruppen, die sich anmelden dürfen. Dies " -"gilt nur für Gruppen innerhalb dieser SSSD-Domain. Lokale Gruppen werden " -"nicht ausgewertet." +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " +"SELinux-Benutzerabbildungen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (Zeichenkette)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -"Durch Kommata getrennte Liste von Gruppen, denen der Zugriff explizit " -"verwehrt wird. Dies gilt nur für Gruppen innerhalb dieser SSSD-Domain. " -"Lokale Gruppen werden nicht ausgewertet." +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " +"vertrauenswürdige Domains" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" -"Einzelheiten über die Konfiguration einer SSSD-Domain finden Sie im " -"Abschnitt »DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Voreinstellung: der Wert von <emphasis>cn=trusts,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." -msgstr "" -"Keine Werte für eine der Listen anzugeben ist so, als ob sie ganz " -"übersprungen würde. Hüten Sie sich davor, solange Parameter für den " -"einfachen Anbieter mittels automatischer Skripte erzeugt werden." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -"Bitte beachten Sie, das es ein Konfigurationsfehler ist, wenn sowohl " -"»simple_allow_users« als auch »simple_deny_users« definiert sind." +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für das " +"Master-Domain-Objekt." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." -msgstr "" -"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " -"example.com eine der im Abschnitt <replaceable>[sssd]</replaceable> " -"erwähnten Domains ist. Die Beispiele zeigen nur die anbieterspezifischen " -"Optionen des einfachen Anbieters." - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Voreinstellung: der Wert von <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -"Die vollständige Hierarchie der Gruppenmitgliedschaft wird aufgelöst, bevor " -"die Zugriffsprüfung ausgeführt wird. Daher können selbst verschachtelte " -"Gruppen Teil der Zugriffslisten werden. Bitte beachten Sie, dass die Option " -"<quote>ldap_group_nesting_level</quote> die Ergebnisse beeinflussen kann und " -"daher auf einen ausreichenden Wert gesetzt werden sollte. Siehe " -"(<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" +"der Name des Kerberos-Realm. Dieser ist optional. Standardmäßig ist es der " +"Wert von »ipa_domain«." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" +"der Name des Kerberos-Realms hat in IPA eine besondere Bedeutung – er wird " +"in den Basis-DN umgewandelt, um ihn zur Durchführung von LDAP-Transaktionen " +"zu verwenden." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "Voreinstellung: 5 (Sekunden)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" +"die Zeit zwischen dem Abrufen der HBAC-Regeln beim IPA-Server. Dies wird die " +"Wartezeit und Belastung des IPA-Servers verringern, falls dort viele " +"Zugriffssteuerungsanfragen in einer kurzen Zeitspanne ankommen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" +"die Zeit zwischen den Abrufen der SELinux-Abbildungen beim IPA-Server. Dies " +"wird die Wartezeit und Belastung des IPA-Servers verringern, falls dort " +"viele Benutzeranmeldeanfragen in einer kurzen Zeitspanne ankommen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" +msgstr "der Ort des Automounters, den dieser IPA-Client benutzen wird" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" +msgstr "Voreinstellung: der Ort namens »default«" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Voreinstellung: cn" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 -msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:643 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#: sssd-ipa.5.xml:656 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 -msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#: sssd-ipa.5.xml:696 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" +msgstr "ANBIETER VON UNTER-DOMAINS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" +"Der Anbieter für IPA-Subdomains verhält sich geringfügig anders, je nachdem, " +"ob er explizit oder implizit konfiguriert wurde." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" +"Falls die Option »subdomains_provider = ipa« im Domain-Abschnitt der »sssd." +"conf« gefunden wird, wird der IPA-Subdomain-Anbieter explizit konfiguriert " +"und alle Subdomain-Anfragen werden, falls nötig, an den IPA-Server gesandt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" +"Falls die Option »subdomains_provider« nicht im Domain-Abschnitt der »sssd." +"conf« gesetzt ist, es dort aber die Option »id_provider = ipa« gibt, wird " +"der IPA-Subdomain-Anbieter implizit konfiguriert. In diesem Fall wird der " +"IPA-Anbieter deaktiviert, falls eine Subdomain-Anfrage fehlschlägt und " +"anzeigt, dass der Server keine Subdomains unterstützt, d.h. nicht zum " +"Vertrauen konfiguriert ist. Nach einer Stunde oder nachdem der IPA-Server " +"online gegangen ist, wird der Subdomain-Anbieter erneut aktiviert." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#: sssd-ipa.5.xml:805 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#: sssd-ipa.5.xml:817 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#: sssd-ipa.5.xml:821 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert und " +"example.com eine der im Abschnitt <replaceable>[sssd]</replaceable> " +"erwähnten Domänen ist. Diese Beispiele zeigen nur die anbieterspezifischen " +"Optionen von IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "SSSD Active-Directory-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des AD-Anbieters für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" +"Der AD-Anbieter unterstützt das Verbinden mit Active Directory 2008 R2 oder " +"neuer. Frühere Versionen könnten funktionieren, werden aber nicht " +"unterstützt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" +"Für Benutzer, Gruppen und weitere von SSSD bereitgestellt Einträge wird die " +"Groß- oder Kleinschreibung nicht beachtet, um die Kompatibilität zur LDAP-" +"Implementation in Active Directory zu gewährleisten." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" +"gibt den Namen der Active-Directory-Domain an. Dieser ist optional. Ist er " +"nicht angegeben, wird der Name der konfigurierten Domain benutzt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" +"Damit dies ordentlich funktioniert, sollte diese Option in der " +"kleingeschriebenen Variante der langen Version der Active-Directory-Domain " +"angegeben werden." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" +"Der kurze Domain-Name (auch als NetBIOS- oder flacher Name bekannt) wird von " +"SSSD automatisch ermittelt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" +"optional, kann auf Maschinen, bei denen »hostname(5)« nicht den voll " +"qualifizierten Namen in der Active-Directory-Domain widerspiegelt, benutzt " +"werden, um sie zu identifizieren." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" +"Dieses Feld wird benutzt, um den in der Keytab benutzten Host Principal zu " +"bestimmen. Er muss dem Rechnernamen entsprechen, für die die Keytab " +"ausgegeben wurde." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (Boolesch)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" +"Ist dies »true« und die Dienstsuche aktiviert (siehe den Abschnitt " +"Dienstsuche am Ende der Handbuchseite), dann wird SSSD zuerst versuchen, " +"sich mit dem Active-Directory-Server zu verbinden, um die Active Directory " +"Site Discovery zu benutzen und dann auf die DNS-SRV-Datensätze " +"zurückgreifen, falls keine AD-Site gefunden wurde. Die DNS-SRV-Konfiguration " +"wird ebenfalls einschließlich der Domain zur Aufdeckung bei der Site-" +"Aufdeckung verwendet." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" +"Diese Option gibt Zugriffskontrollfilter für LDAP an, die auf den Benutzer " +"passen müssen, damit ihm Zugriff gewährt werden kann. Bitte beachten Sie, " +"dass die Option <quote>access_provider</quote> explizit auf <quote>ad</" +"quote> gesetzt werden muss, damit sie wirksam ist." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" +"Diese Option unterstützt auch die Angabe verschiedener Filter pro Domain " +"oder Wald. Dieser erweiterte Filter würde bestehen aus: <quote>SCHLÜSSELWORT:" +"NAME:FILTER</quote>. Das Schlüsselwort kann entweder <quote>DOM</quote> oder " +"<quote>FOREST</quote> sein oder auch weggelassen werden." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" +"Falls das Schlüsselwort <quote>DOM</quote> ist oder fehlt, dann gibt der " +"<quote>NAME</quote> die Domain oder Subdomain an, auf die der Filter " +"angewendet werden soll. Ist das Schlüsselwort <quote>FOREST</quote>, dann " +"gilt der Filter für alle angegebenen Domains aus dem Wald, der in " +"<quote>NAME</quote> angegeben ist." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" +"Mehrere Filter können durch Fragezeichen <quote>?</quote> getrennt werden, " +"so wie es auch in Suchmaschinen üblich ist." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" +"Es wird stets der spezifischste Treffer verwendet. Wenn zum Beispiel in der " +"den Filter angebenden Option der Benutzer ein Mitglied ist und es sich um " +"einen globalen Filter handelt, wird der pro-Domain-Filter angewendet. Gibt " +"es mehrere Treffer, die der angeforderten Spezifikation entsprechen, wird " +"der erste verwendet." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" +"Standardmäßig verbindet sich SSSD zuerst mit dem Globalen Katalog, um " +"Benutzer von vertrauenswürdigen Domains abfragen zu können. Der LDAP-Port " +"wird zum Ermitteln von Gruppenmitgliedschaften oder als Ausweichmöglichkeit " +"verwendet. Wenn Sie diese Option deaktivieren, verbindet sich SSSD nur mit " +"dem LDAP-Port des aktuellen Servers." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" +"Bitte beachten Sie, dass die Deaktivierung der Unterstützung für den " +"Globalen Katalog die Abfrage von Benutzern von vertrauenswürdigen Domains " +"nicht deaktiviert. SSSD würde sich stattdessen mit dem LDAP-Port der " +"vertrauenswürdigen Domains verbinden. Jedoch muss der Globale Katalog " +"verwendet werden, um domainübergreifende Gruppenmitgliedschaften auflösen zu " +"können." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" +"Diese Option legt den Operationsmodus für GPO-basierte Zugriffskontrolle " +"fest. Verfügbar sind die Modi »disabled«, »enforcing« und »permissive«. " +"Bitte beachten Sie, dass die Option <quote>access_provider</quote> explizit " +"auf <quote>ad</quote> gesetzt werden muss, damit sie wirksam ist." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +#, fuzzy +#| msgid "" +#| "GPO-based access control functionality uses GPO policy settings to " +#| "determine whether or not a particular user is allowed to logon to a " +#| "particular host." +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" +"Die GPO-basierte Zugriffskontrolle verwendet gesetzte GPO-Regeln, um zu " +"ermitteln, ob sich ein bestimmter Benutzer an einem bestimmten Rechner " +"anmelden darf." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" -msgstr "SSSD IPA-Anbieter" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -"Diese Handbuchseite beschreibt die Konfiguration des IPA-Anbieters für " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " -"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -"Der IPA-Anbieter ist ein Backend, das zum Verbinden mit einem IPA-Server " -"benutzt wird. (Informationen über IPA-Server finden Sie auf der Website " -"»freeipa.org«.) Dieser Anbieter erfordert, dass der Rechner einer IPA-Domain " -"beitritt. Die Konfiguration wird nahezu vollständig selbst ermittelt und " -"direkt vom Server genommen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 +#, fuzzy +#| msgid "" +#| "NOTE: If the operation mode is set to enforcing, it is possible that " +#| "users that were previously allowed logon access will now be denied logon " +#| "access (as dictated by the GPO policy settings). In order to facilitate a " +#| "smooth transition for administrators, a permissive mode is available that " +#| "will not enforce the access control rules, but will evaluate them and " +#| "will output a syslog message if access would have been denied. By " +#| "examining the logs, administrators can then make the necessary changes " +#| "before setting the mode to enforcing." msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" +"ACHTUNG: Wird der Operationsmodus auf »enforcing« gesetzt, dann ist es " +"möglich, dass Benutzern, denen früher bereits einmal Zugriff gewährt wurde, " +"ihnen dieser nun verweigert wird (sofern dies von den GPO-Regeln " +"vorgeschrieben wird). Um Administratoren einen weichen Übergang zu " +"ermöglichen, ist der Modus »permissive« verfügbar, der die Umsetzung der " +"Zugriffskontrollregeln nicht erzwingt. Diese werden lediglich ausgewertet " +"und eine Meldung geht an das Systemprotokoll, falls tatsächlich der Zugriff " +"verweigert werden würde. Nach dem Untersuchen der Protokolle können " +"Administratoren nun die nötigen Änderungen vornehmen, bevor der Modus auf " +"»enforcing« gesetzt wird." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" +msgstr "Für diese Option werden drei Werte unterstützt:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" +"disabled: GPO-basierte Zugriffskontrollregeln werden weder ausgewertet noch " +"deren Anwendung erzwungen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" +"enforcing: GPO-basierte Zugriffskontrollregeln werden sowohl ausgewertet als " +"auch deren Anwendung erzwungen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -"Der IPA-Anbieter wird den PAC-Responder benutzen, falls die Kerberos-Tickets " -"von Anwendern vertrauenswürdiger Realms ein PAC enthalten. Um die " -"Konfiguration zu vereinfachen, wird der PAC-Responder automatisch gestartet, " -"falls der IPA-ID-Anbieter konfiguriert ist." +"permissive: GPO-basierte Zugriffskontrollregeln werden zwar ausgewertet, " +"aber deren Anwendung nicht erzwungen. Stattdessen wird eine Meldung an das " +"Systemprotokoll ausgelöst, mit dem Inhalt, dass dem Benutzer der Zugriff " +"verweigert werden würde, wenn die Option auf »enforcing« gesetzt wäre." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" +msgstr "Voreinstellung: permissive" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 -msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -"gibt den Namen der IPA-Domain an. Dies ist optional. Ist er nicht angegeben, " -"wird der Domain-Name der Konfiguration benutzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (Zeichenkette)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:475 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -"Die durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen der IPA-" -"Server in der Reihenfolge, in der sich SSSD mit ihnen verbinden soll. " -"Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im " -"Abschnitt »AUSFALLSICHERUNG«. Falls automatisches Auffinden aktiviert ist, " -"ist dies optional. Weitere Informationen finden Sie im Abschnitt " -"»DIENSTSUCHE«." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (Zeichenkette)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:495 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" -msgstr "dyndns_update (Boolesch)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:515 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#: sssd-ad.5.xml:531 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"HINWEIS: Auf älteren Systemen (wie RHEL 5) muss der Standard-Kerberos-Realm " -"ordentlich in /etc/krb5.conf gesetzt sein, damit dies zuverlässig " -"funktioniert." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:549 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " -"<emphasis>ipa_dyndns_update</emphasis> zu benutzen, sollten Anwender auf die " -"Verwendung von <emphasis>dyndns_update</emphasis> in ihrer " -"Konfigurationsdatei migrieren." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" -msgstr "dyndns_ttl (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" -"die TTL, die beim Aktualisieren auf den Client-DNS-Datensatz angewandt wird. " -"Falls »dyndns_update« »false« ist, hat dies keine Auswirkungen. Diese wird " -"die Server-seitige TTL außer Kraft setzen, falls diese durch einen " -"Administrator gesetzt wurde." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " -"<emphasis>ipa_dyndns_ttl</emphasis> zu benutzen, sollten Anwender auf die " -"Verwendung von <emphasis>dyndns_ttl</emphasis> in ihrer Konfigurationsdatei " -"migrieren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "Voreinstellung: 1200 (Sekunden)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "dyndns_iface (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 -msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " -"<emphasis>ipa_dyndns_iface</emphasis> zu benutzen, sollten Anwender auf die " -"Verwendung von <emphasis>dyndns_iface</emphasis> in ihrer " -"Konfigurationsdatei migrieren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 -msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:638 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." -msgstr "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" -msgstr "ipa_enable_dns_sites (Boolesch)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." -msgstr "aktiviert DNS-Sites – standortbasierte Dienstsuche" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:663 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Ist dies »true« und die Dienstsuche aktiviert (siehe den Abschnitt " -"Dienstsuche am Ende der Handbuchseite), dann wird SSSD zuerst versuchen, " -"eine standortbasierte Suche mittels einer Abfrage, die »_location.hostname." -"example.com« enthält, durchzuführen und dann auf die traditionelle SRV-Suche " -"zurückgreifen. Falls die standortbasierte Suche erfolgreich ist, werden die " -"georteten IPA-Server, die mit der standortbasierten Suche gefunden wurden, " -"als primäre Server betrachtet und die mit der traditionellen SRV-Suche " -"gefundenen als Sicherungsserver." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" -msgstr "dyndns_refresh_interval (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -"wie oft das Backend periodische DNS-Aktualisierungen zusätzlich zur " -"automatisch beim Online-Gehen durchgeführten Aktualisierung vornehmen soll. " -"Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" -msgstr "dyndns_update_ptr (Boolesch)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:697 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"ob der PTR-Datensatz ebenfalls explizit aktualisiert werden soll, wenn die " -"DNS-Datensätze des Clients aktualisiert werden; nur anwendbar, wenn " -"»dyndns_update« »true« ist" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:715 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -"Diese Option sollte in den meisten IPA-Bereitstellungen »False« sein, da der " -"IPA-Server die PTR-Datensätze automatisch erzeugt, wenn sich " -"Weiterleitungsdatensätze ändern." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "Voreinstellung: False (deaktiviert)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "dyndns_force_tcp (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:721 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"ob das Hilfswerkzeug Nsupdate standardmäßig TCP zur Kommunikation mit dem " -"DNS-Server verwenden soll" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:755 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:773 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:790 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"Note: Cron service name may differ depending on Linux distribution used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:808 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Voreinstellung: verwendet Basis-DN" +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" -"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für HBAC-" -"bezogene Objekte" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (Zeichenkette)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " -"SELinux-Benutzerabbildungen" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " -"vertrauenswürdige Domains" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" -msgstr "Voreinstellung: der Wert von <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (Zeichenkette)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für das " -"Master-Domain-Objekt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "Voreinstellung: der Wert von <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -"der Name des Kerberos-Realm. Dieser ist optional. Standardmäßig ist es der " -"Wert von »ipa_domain«." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -"der Name des Kerberos-Realms hat in IPA eine besondere Bedeutung – er wird " -"in den Basis-DN umgewandelt, um ihn zur Durchführung von LDAP-Transaktionen " -"zu verwenden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "Voreinstellung: 5 (Sekunden)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (Ganzzahl)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -"die Zeit zwischen dem Abrufen der HBAC-Regeln beim IPA-Server. Dies wird die " -"Wartezeit und Belastung des IPA-Servers verringern, falls dort viele " -"Zugriffssteuerungsanfragen in einer kurzen Zeitspanne ankommen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -"die Zeit zwischen den Abrufen der SELinux-Abbildungen beim IPA-Server. Dies " -"wird die Wartezeit und Belastung des IPA-Servers verringern, falls dort " -"viele Benutzeranmeldeanfragen in einer kurzen Zeitspanne ankommen." +"Optional. Diese Option teilt SSSD mit, dass es den Active-Directory-DNS-" +"Server mit der IP-Adresse dieses Clients aktualisieren soll. Die " +"Aktualisierung wird mittels GSS-TSIG abgesichert. Infolgedessen muss der " +"Active-Directory-Verwalter nur sichere Aktualisierungen für die DNS-Zone " +"erlauben. Die IP-Adresse der AD-LDAP-Verbindung wird für die " +"Aktualisierungen verwendet, falls sie nicht anderweitig mittels der Option " +"»dyndns_iface« angegeben wurde." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" -msgstr "ipa_server_mode (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" +msgstr "Voreinstellung: 3600 (Sekunden)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Voreinstellung: True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " +"example.com auf eine der Domains im Abschnitt <replaceable>[sssd]</" +"replaceable> gesetzt ist. Dieses Beispiel zeigt nur die anbieterspezifischen " +"Optionen von AD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (Zeichenkette)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" -msgstr "der Ort des Automounters, den dieser IPA-Client benutzen wird" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" -msgstr "Voreinstellung: der Ort namens »default«" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"Der AD-Zugriffssteuerungsanbieter prüft, ob das Konto erloschen ist. Es hat " +"dieselben Auswirkungen wie die folgende Konfiguration des LDAP-Anbieters: " +"<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Sudo mit dem SSSD-Backend konfigurieren" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" +"Diese Handbuchseite beschreibt, wie <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> konfiguriert wird, " +"damit es zusammen mit <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> funktioniert und wie SSSD Sudo-" +"Regeln zwischenspeichert." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Sudo so konfigurieren, dass es mit SSSD zusammenarbeitet" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" +"Um SSSD als eine Quelle von Sudo-Regeln zu aktivieren, fügen Sie dem Eintrag " +"<emphasis>sudoers</emphasis> in <citerefentry> <refentrytitle>nsswitch.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <emphasis>sss</" +"emphasis> hinzu." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" +"Um zum Beispiel Sudo so zu konfigurieren, dass es zuerst die Regeln in der " +"Standarddatei <citerefentry> <refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> nachschlägt (diese sollten Regeln " +"umfassen, die für lokale Benutzer gelten) und dann die in SSSD, sollte die " +"Datei »nsswitch.conf« die folgende Zeile enthalten:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" +"Weitere Informationen über die Konfiguration der Suchreihenfolge der " +"»sudoers« aus der Datei »nsswitch.conf« sowie das LDAP-Schema, das zum " +"Speichern von Sudo-Regeln im Verzeichnis benutzt wird, können Sie unter " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> finden." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" +"<emphasis>Hinweis</emphasis>: Um Netzgruppen oder IPA-Hostgruppen in sudo-" +"Regeln verwenden zu können, muss <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> korrekt auf den entsprechenden NIS-Domainnamen gesetzt werden. " +"Dieser entspricht dem IPA-Domainnamen, wenn Hostgruppen verwendet werden." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "SSSD zum Abrufen von Sudo-Regeln konfigurieren" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" +"Alle auf der SSSD-Seite erforderliche Konfiguration ist die Erweiterung der " +"Liste der <emphasis>Dienste</emphasis> mit \"sudo\" im Abschnitt [sssd] der " +"Handbuchseite zu <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Um LDAP-Suchvorgänge zu " +"beschleunigen, können Sie auch die Suchbasis für sudo-Regeln mit der Option " +"<emphasis>ldap_sudo_search_base</emphasis> festlegen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" +"Das folgende Beispiel zeigt, wie SSSD konfiguriert wird, damit es die Sudo-" +"Regeln von einem LDAP-Server herunterlädt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Der Zwischenspeichermechanismus für Sudo-Regeln" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" +"Die größte Herausforderung bei der Entwicklung von Sudo-Unterstützung in " +"SSSD war es, sicherzustellen, dass beim Ausführen von Sudo mit SSSD die " +"Datenquelle dieselbe Benutzererfahrung bereitstellt und so schnell wie Sudo " +"ist, aber weiterhin so viele aktuelle Regelsätze wie möglich bereitstellt. " +"Um diesen Anforderungen zu genügen, verwendet SSSD drei Arten von " +"Aktualisierungen. Sie werden als vollständiges Aktualisieren, kluges " +"Aktualisieren und Regelaktualisierung bezeichnet." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" +"Das <emphasis>kluge Aktualisieren</emphasis> lädt periodisch Regeln " +"herunter, die neu sind oder seit der letzten Aktualisierung geändert wurden. " +"Das Hauptziel hierbei ist es, die Datenbank anwachsen zu lassen, indem nur " +"kleine Erweiterungen abgerufen werden, die keinen großen Netzwerkverkehr " +"erzeugen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" +"Das <emphasis>vollständige Aktualisieren</emphasis> löscht einfach alle im " +"Zwischenspeicher abgelegten Regeln und ersetzt sie durch die auf dem Server " +"gespeicherten Regeln. Dies wird benutzt, um den Zwischenspeicher dadurch " +"konsistent zu halten, dass jede von Server gelöschte Regel entfernt wird. " +"Ein vollständiges Aktualisieren kann jedoch eine hohe Last erzeugen und " +"sollte daher nur gelegentlich abhängig von der Größe und Stabilität der Sudo-" +"Regeln ausgeführt werden." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" +"Die <emphasis>Regelaktualisierung</emphasis> stellt sicher, dass dem " +"Benutzer nicht mehr Rechte als definiert gewährt werden. Es wird jedesmal " +"ausgelöst, wenn der Benutzer Sudo ausführt. Regelaktualisierung wird alle " +"Regeln suchen, die für diesen Benutzer gelten, ihren Ablaufzeitpunkt prüfen " +"und sie erneut herunterladen, falls sie erloschen sind. Im Fall, dass " +"irgendwelche der Regeln auf dem Server fehlen, wird SSSD außer der Reihe ein " +"vollständiges Aktualisieren durchführen, da möglicherweise weitere Regeln " +"(die für andere Benutzer gelten) gelöscht wurden." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" +"SSSD wird, falls aktiviert, nur Regeln speichern, die auf diese Maschine " +"angewandt werden können. Das bedeutet, Regeln, die einen der folgenden Werte " +"im Attribut <emphasis>sudoHost</emphasis> enthalten:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "Schlüsselwort ALL" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "Platzhalter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "Netzgruppe (in der Form »+Netzgruppe«)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "Rechnername oder voll qualifizierter Domain-Namen dieser Maschine" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 -msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "eine der IP-Adressen dieser Maschine" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "ANBIETER VON UNTER-DOMAINS" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "eine der IP-Adressen des Netzwerks (in der Form »Adresse/Maske«)" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#: sssd-sudo.5.xml:199 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"Der Anbieter für IPA-Subdomains verhält sich geringfügig anders, je nachdem, " -"ob er explizit oder implizit konfiguriert wurde." +"Es gibt viele Konfigurationsoptionen, die benutzt werden können, um das " +"Verhalten anzupassen. Bitte lesen Sie »ldap_sudo_*« in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> und \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon (Systemsicherheitsdienst-Daemon)" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -"Falls die Option »subdomains_provider = ipa« im Domain-Abschnitt der »sssd." -"conf« gefunden wird, wird der IPA-Subdomain-Anbieter explizit konfiguriert " -"und alle Subdomain-Anfragen werden, falls nötig, an den IPA-Server gesandt." +"<command>sssd</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd.8.xml:31 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." -msgstr "" -"Falls die Option »subdomains_provider« nicht im Domain-Abschnitt der »sssd." -"conf« gesetzt ist, es dort aber die Option »id_provider = ipa« gibt, wird " -"der IPA-Subdomain-Anbieter implizit konfiguriert. In diesem Fall wird der " -"IPA-Anbieter deaktiviert, falls eine Subdomain-Anfrage fehlschlägt und " -"anzeigt, dass der Server keine Subdomains unterstützt, d.h. nicht zum " -"Vertrauen konfiguriert ist. Nach einer Stunde oder nachdem der IPA-Server " -"online gegangen ist, wird der Subdomain-Anbieter erneut aktiviert." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" +"<command>SSSD</command> stellt einen Satz Daemons bereit, um den Zugriff auf " +"ferne Verzeichnisse und Authentifizierungsmechanismen zu verwalten. Es " +"bietet eine NSS- und PAM-Schnittstelle zum System und ein erweiterbares " +"Backend-System zum Verbinden mit mehreren unterschiedlichen Kontenquellen " +"sowie der D-Bus-Schnittstelle. Es bildet außerdem die Grundlage für das " +"Bereitstellen von Client-Überprüfungen und Richtliniendiensten für Projekte " +"wie FreeIPA. Es stellt eine robustere Datenbank bereit, um lokale Benutzer " +"sowie erweiterte Benutzerdaten zu speichern." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>STUFE</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 -msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>Modus</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" +"<emphasis>1</emphasis>: Den Debug-Nachrichten wird ein Zeitstempel " +"hinzugefügt." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 -msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" +"<emphasis>0</emphasis>: Zeitstempel in Debug-Nachrichten werden deaktiviert." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>Modus</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" +"<emphasis>1</emphasis>: Dem Zeitstempel in Debug-Nachrichten werden " +"Millisekunden hinzugefügt." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" +"<emphasis>0</emphasis>: Millisekunden werden in Zeitstempeln deaktiviert" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" +"sendet die Ausgabe der Fehlersuche in Dateien statt auf die " +"Standardfehlerausgabe. Standardmäßig werden die Protokolldateien in " +"<filename>/var/log/sssd</filename> gespeichert. Dort gibt es separate " +"Protokolldateien für jeden SSSD-Dienst und jede Domain." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "wird nach dem Start ein Daemon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "läuft im Vordergrund und wird kein Daemon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"gibt eine Konfigurationsdatei an, die nicht Standard ist. Die Voreinstellung " +"ist <filename>/etc/sssd/sssd.conf</filename>. Auskunft über die Syntax und " +"Optionen der Konfigurationsdatei finden Sie in der Handbuchseite " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 -msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert und " -"example.com eine der im Abschnitt <replaceable>[sssd]</replaceable> " -"erwähnten Domänen ist. Diese Beispiele zeigen nur die anbieterspezifischen " -"Optionen von IPA." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "SSSD Active-Directory-Anbieter" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "gibt die Versionsnummer aus und beendet sich." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 -msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" -"Diese Handbuchseite beschreibt die Konfiguration des AD-Anbieters für " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " -"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Signale" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 -msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -"Der AD-Anbieter unterstützt das Verbinden mit Active Directory 2008 R2 oder " -"neuer. Frühere Versionen könnten funktionieren, werden aber nicht " -"unterstützt." +"Informiert SSSD, dass es anstandslos alle Kindprozesse beenden und dann das " +"Überwachungsprogramm herunterfahren soll." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" +"teilt SSSD mit, dass es das Schreiben des aktuellen Dateideskriptors zur " +"Fehlersuche stoppen, ihn schließen und erneut öffnen soll. Dies ist dazu " +"gedacht, das Rotieren von Protokolldateien mit Programmen wie Logrotate zu " +"erleichtern." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +#| "applications will not use the fast in memory cache." msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" +"Falls die Umgebungsvariable SSS_NSS_USE_MEMCACHE auf »NO« gesetzt ist, " +"nutzen Client-Anwendungen den schnellen speicherinternen Zwischenspeicher " +"nicht." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "verschleiert ein Klartextpasswort" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"ldap_id_mapping = False\n" -" " +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" -"ldap_id_mapping = False\n" -" " +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORT]</" +"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 +#: sss_obfuscate.8.xml:32 msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" +"<command>sss_obfuscate</command> wandelt ein angegebenes Passwort in ein von " +"Menschen nicht lesbares Format um und legt es in einem geeigneten Domain-" +"Abschnitt der SSSD-Konfigurationsdatei ab." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#: sss_obfuscate.8.xml:37 msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" -"Für Benutzer, Gruppen und weitere von SSSD bereitgestellt Einträge wird die " -"Groß- oder Kleinschreibung nicht beachtet, um die Kompatibilität zur LDAP-" -"Implementation in Active Directory zu gewährleisten." +"Das Klartextpasswort wird von der Standardeingabe gelesen oder interaktiv " +"eingegeben. Das verschleierte Passwort wird in den Parameter " +"»ldap_default_authtok« einer angegebenen SSSD-Domain abgelegt und der " +"Parameter »ldap_default_authtok_type« wird auf »obfuscated_password« " +"gesetzt. Weitere Einzelheiten über diese Parameter finden Sie unter " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Bitte beachten Sie, dass das Verschleiern von Passwörtern <emphasis>keinen " +"wirklichen Sicherheitsgewinn</emphasis> bietet, da es einem Angreifer immer " +"noch möglich ist, das Passwort wieder herzuleiten. Es wird " +"<emphasis>dringend</emphasis> geraten, bessere Authentifizierungsmechanismen " +"wie Client-seitige Zertifikate oder GSSAPI zu verwenden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" +"Das Passwort, das verschleiert werden soll, wird von der Standardeingabe " +"gelesen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -"gibt den Namen der Active-Directory-Domain an. Dieser ist optional. Ist er " -"nicht angegeben, wird der Name der konfigurierten Domain benutzt." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -"Damit dies ordentlich funktioniert, sollte diese Option in der " -"kleingeschriebenen Variante der langen Version der Active-Directory-Domain " -"angegeben werden." +"die SSSD-Domain, in der das Passwort benutzt wird. Der Standardname ist " +"»default«." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -"Der kurze Domain-Name (auch als NetBIOS- oder flacher Name bekannt) wird von " -"SSSD automatisch ermittelt." +"<option>-f</option>,<option>--file</option> <replaceable>DATEI</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "liest die durch den Positionsparameter angegebene Konfigurationsdatei." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Voreinstellung: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." -msgstr "" -"optional, kann auf Maschinen, bei denen »hostname(5)« nicht den voll " -"qualifizierten Namen in der Active-Directory-Domain widerspiegelt, benutzt " -"werden, um sie zu identifizieren." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -"Dieses Feld wird benutzt, um den in der Keytab benutzten Host Principal zu " -"bestimmen. Er muss dem Rechnernamen entsprechen, für die die Keytab " -"ausgegeben wurde." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "ad_enable_dns_sites (Boolesch)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -"Ist dies »true« und die Dienstsuche aktiviert (siehe den Abschnitt " -"Dienstsuche am Ende der Handbuchseite), dann wird SSSD zuerst versuchen, " -"sich mit dem Active-Directory-Server zu verbinden, um die Active Directory " -"Site Discovery zu benutzen und dann auf die DNS-SRV-Datensätze " -"zurückgreifen, falls keine AD-Site gefunden wurde. Die DNS-SRV-Konfiguration " -"wird ebenfalls einschließlich der Domain zur Aufdeckung bei der Site-" -"Aufdeckung verwendet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" -msgstr "ad_access_filter (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -"Diese Option gibt Zugriffskontrollfilter für LDAP an, die auf den Benutzer " -"passen müssen, damit ihm Zugriff gewährt werden kann. Bitte beachten Sie, " -"dass die Option <quote>access_provider</quote> explizit auf <quote>ad</" -"quote> gesetzt werden muss, damit sie wirksam ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -"Diese Option unterstützt auch die Angabe verschiedener Filter pro Domain " -"oder Wald. Dieser erweiterte Filter würde bestehen aus: <quote>SCHLÜSSELWORT:" -"NAME:FILTER</quote>. Das Schlüsselwort kann entweder <quote>DOM</quote> oder " -"<quote>FOREST</quote> sein oder auch weggelassen werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -"Falls das Schlüsselwort <quote>DOM</quote> ist oder fehlt, dann gibt der " -"<quote>NAME</quote> die Domain oder Subdomain an, auf die der Filter " -"angewendet werden soll. Ist das Schlüsselwort <quote>FOREST</quote>, dann " -"gilt der Filter für alle angegebenen Domains aus dem Wald, der in " -"<quote>NAME</quote> angegeben ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 -msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -"Mehrere Filter können durch Fragezeichen <quote>?</quote> getrennt werden, " -"so wie es auch in Suchmaschinen üblich ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -"Es wird stets der spezifischste Treffer verwendet. Wenn zum Beispiel in der " -"den Filter angebenden Option der Benutzer ein Mitglied ist und es sich um " -"einen globalen Filter handelt, wird der pro-Domain-Filter angewendet. Gibt " -"es mehrere Treffer, die der angeforderten Spezifikation entsprechen, wird " -"der erste verwendet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" -msgstr "ad_enable_gc (Boolesch)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -"Standardmäßig verbindet sich SSSD zuerst mit dem Globalen Katalog, um " -"Benutzer von vertrauenswürdigen Domains abfragen zu können. Der LDAP-Port " -"wird zum Ermitteln von Gruppenmitgliedschaften oder als Ausweichmöglichkeit " -"verwendet. Wenn Sie diese Option deaktivieren, verbindet sich SSSD nur mit " -"dem LDAP-Port des aktuellen Servers." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -"Bitte beachten Sie, dass die Deaktivierung der Unterstützung für den " -"Globalen Katalog die Abfrage von Benutzern von vertrauenswürdigen Domains " -"nicht deaktiviert. SSSD würde sich stattdessen mit dem LDAP-Port der " -"vertrauenswürdigen Domains verbinden. Jedoch muss der Globale Katalog " -"verwendet werden, um domainübergreifende Gruppenmitgliedschaften auflösen zu " -"können." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "ad_gpo_access_control (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 -msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -"Diese Option legt den Operationsmodus für GPO-basierte Zugriffskontrolle " -"fest. Verfügbar sind die Modi »disabled«, »enforcing« und »permissive«. " -"Bitte beachten Sie, dass die Option <quote>access_provider</quote> explizit " -"auf <quote>ad</quote> gesetzt werden muss, damit sie wirksam ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -"Die GPO-basierte Zugriffskontrolle verwendet gesetzte GPO-Regeln, um zu " -"ermitteln, ob sich ein bestimmter Benutzer an einem bestimmten Rechner " -"anmelden darf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -"ACHTUNG: Wird der Operationsmodus auf »enforcing« gesetzt, dann ist es " -"möglich, dass Benutzern, denen früher bereits einmal Zugriff gewährt wurde, " -"ihnen dieser nun verweigert wird (sofern dies von den GPO-Regeln " -"vorgeschrieben wird). Um Administratoren einen weichen Übergang zu " -"ermöglichen, ist der Modus »permissive« verfügbar, der die Umsetzung der " -"Zugriffskontrollregeln nicht erzwingt. Diese werden lediglich ausgewertet " -"und eine Meldung geht an das Systemprotokoll, falls tatsächlich der Zugriff " -"verweigert werden würde. Nach dem Untersuchen der Protokolle können " -"Administratoren nun die nötigen Änderungen vornehmen, bevor der Modus auf " -"»enforcing« gesetzt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "Für diese Option werden drei Werte unterstützt:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 -msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -"disabled: GPO-basierte Zugriffskontrollregeln werden weder ausgewertet noch " -"deren Anwendung erzwungen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -"enforcing: GPO-basierte Zugriffskontrollregeln werden sowohl ausgewertet als " -"auch deren Anwendung erzwungen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 -msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -"permissive: GPO-basierte Zugriffskontrollregeln werden zwar ausgewertet, " -"aber deren Anwendung nicht erzwungen. Stattdessen wird eine Meldung an das " -"Systemprotokoll ausgelöst, mit dem Inhalt, dass dem Benutzer der Zugriff " -"verweigert werden würde, wenn die Option auf »enforcing« gesetzt wäre." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" -msgstr "Voreinstellung: permissive" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 -msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "erstellt einen neuen Benutzer" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" +"<command>sss_useradd</command> erstellt mittels der auf der Befehlszeile " +"angegebenen Werte sowie der Standardwerte des Systems ein neues " +"Benutzerkonto." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"setzt die UID des Benutzers auf den Wert von <replaceable>UID</replaceable>. " +"Wurde der Wert nicht angegeben, wird er automatisch ausgewählt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>KOMMENTAR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" +"irgendeine Zeichenkette, die den Benutzer beschreibt. Dieses Feld wird oft " +"für den vollständigen Namen des Benutzers verwendet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_VERZ</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" +"das Home-Verzeichnis des Benutzerkontos. Standardmäßig wird der Name für die " +"<replaceable>ANMELDUNG</replaceable> an <filename>/home</filename> angehängt " +"und dies dann als Home-Verzeichnis benutzt. Das Basisverzeichnis, das " +"<replaceable>ANMELDUNG</replaceable> vorangestellt wird, ist über die " +"Einstellung »user_defaults/baseDirectory« in der »sssd.conf« einstellbar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" +"die Anmelde-Shell des Benutzers. Voreinstellung ist derzeit <filename>/bin/" +"bash</filename>. Die Voreinstellung kann über die Einstellung »user_defaults/" +"defaultShell« in der »sssd.conf« geändert werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPPEN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "eine Liste existierender Gruppen, denen dieser Benutzer auch angehört" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" +"erstellt das Home-Verzeichnis des Benutzers, falls es nicht existiert. Die " +"Dateien und Verzeichnisse, die in der Verzeichnisvorlage (die mit der Option " +"-k oder in der Konfigurationsdatei definiert werden kann) enthalten sind, " +"werden in das Home-Verzeichnis kopiert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" +"erstellt nicht das Home-Verzeichnis des Benutzers und setzt " +"Konfigurationseinstellungen außer Kraft." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKEL-VERZ</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" +"die Verzeichnisvorlage mit Dateien und Verzeichnissen, die in das durch " +"<command>sss_useradd</command> neu erstellte Home-Verzeichnis des Benutzers " +"kopiert werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" +"Spezialdateien (block- und zeichenorientierte Geräte, benannte Pipes und " +"Unix-Sockets) werden nicht kopiert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" +"Diese Option ist nur gültig, falls die Option <option>-m</option> (oder " +"<option>--create-home</option>) angegeben wurde oder das Erstellen von Home-" +"Verzeichnissen in der Konfiguration auf »TRUE« gesetzt ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_BENUTZER</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" +"der SELinux-Benutzer für die Anmeldung des Benutzers. Ist er nicht " +"angegeben, wird die Voreinstellung des Systems benutzt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "SSSD Kerberos-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des Authentifizierungs-" +"Backends Kerberos 5 für <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Eine ausführliche Syntax-Referenz " +"finden Sie im Abschnitt »DATEIFORMAT« der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" +"Das Authentifizierungs-Backend Kerberos 5 enthält Authentifizierungs- und " +"Chpass-Anbieter. Es muss mit einem Identitätsanbieter verbunden werden, " +"damit es sauber läuft (zum Beispiel »id_provider = ldap«). Einige vom " +"Kerberos-5-Authentifizierungs-Backend benötigten Informationen wie der " +"»Kerberos Principal Name« (UPN) des Benutzers müssen durch den " +"Identitätsanbieter bereitgestellt werden. Die Konfiguration des " +"Identitätsanbieters sollte einen Eintrag haben, der den UPN angibt. " +"Einzelheiten, wie dies konfiguriert wird, finden Sie in der Handbuchseite " +"des entsprechenden Identitätsanbieters." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" +"Dieses Backend stellt ebenso eine Zugriffssteuerung bereit, die auf der " +"Datei .k5login im Home-Verzeichnis des Benutzers basiert. Weitere " +"Einzelheiten finden Sie unter <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Bitte beachten Sie, " +"dass eine leere .k5login-Datei jegliche Zugriffe durch diesen Benutzer " +"verbietet. Verwenden Sie »access_provider = krb5« in Ihrer SSSD-" +"Konfiguration, um diese Funktionalität zu aktivieren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" +"Im Fall, dass UPN nicht im Identitäts-Backend verfügbar ist, wird " +"<command>sssd</command> mittels des Formats <replaceable>Benutzername</" +"replaceable>@<replaceable>Krb5_Realm</replaceable> einen UPN konstruieren." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:77 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" +"gibt eine durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen " +"der Kerberos-Server in der Reihenfolge an, in der sich SSSD mit ihnen " +"verbinden soll. Weitere Informationen über Ausfallsicherung und Redundanz " +"finden Sie im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder " +"Rechnernamen kann eine optionale Portnummer (der ein Doppelpunkt " +"vorangestellt ist) angehängt werden. Falls dies leer gelassen wurde, wird " +"die Dienstsuche aktiviert. Weitere Informationen finden Sie im Abschnitt " +"»DIENSTSUCHE«." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" +"der Name des Kerberos-Realms. Diese Option wird benötigt und muss angegeben " +"werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" -msgstr "" +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:116 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" +"Falls der Dienst zum Ändern von Passwörtern auf der " +"Schlüsselverwaltungszentrale (KDC) nicht läuft, können hier alternative " +"Server definiert werden. An die Adressen oder Rechnernamen kann eine " +"optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt " +"werden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#: sssd-krb5.5.xml:122 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" +"Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im " +"Abschnitt »AUSFALLSICHERUNG«. HINWEIS: Selbst wenn es keine weiteren " +"»kpasswd«-Server mehr auszuprobieren gibt, wird das Backend nicht offline " +"gehen, da eine Authentifizierung gegen die Schlüsselverwaltungszentrale " +"(KDC) immer noch möglich ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Voreinstellung: KDC benutzen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#: sssd-krb5.5.xml:138 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" +"Das Verzeichnis zum Ablegen von Anmeldedaten-Zwischenspeichern. Alle " +"Ersetzungssequenzen von krb5_ccname_template können hier auch verwendet " +"werden, außer %d und %P. Das Verzeichnis wird als privat angelegt und ist " +"Eigentum des Benutzers. Die Zugriffsrechte werden auf 0700 gesetzt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." -msgstr "" +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Voreinstellung: /tmp" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "Anmeldename" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "Anmelde-UID" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "Principal-Name" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 -msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "Realm-Name" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "Home-Verzeichnis" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "Wert von krb5_ccachedir" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "die Prozess-ID des SSSD-Clients" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "ein buchstäbliches »%«" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" +"Der Ort für die Zwischenspeicherung der Anmeldedaten des Benutzers. Drei " +"Zwischenspeichertypen werden derzeit unterstützt: <quote>FILE</quote>, " +"<quote>DIR</quote> und <quote>KEYRING:persistent</quote>. Der " +"Zwischenspeicher kann entweder als <replaceable>TYP:REST</replaceable> oder " +"als absoluter Pfad angegeben werden, wobei Letzteres den Typ <quote>FILE</" +"quote> beinhaltet. In der Schablone werden die folgenden Sequenzen ersetzt: " +"<placeholder type=\"variablelist\" id=\"0\"/> Falls die Vorlage mit »XXXXXX« " +"endet, wird mkstemp(3) verwendet, um auf sichere Weise einen eindeutigen " +"Dateinamen zu erzeugen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" +"Wenn der KEYRING-Typ verwendet wird, ist <quote>KEYRING:persistent:%U</" +"quote> der einzige unterstützte Mechanismus. Hierfür wird der Schlüsselbund " +"des Linux-Kernels zum Speichern der Anmeldedaten getrennt nach Benutzer-IDs " +"verwendet. Dies wird auch empfohlen, da es die sicherste und " +"vorausberechenbarste Methode ist." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:216 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" +"Der Vorgabewert für den Anmeldedaten-Zwischenspeicher wird aus dem im " +"Abschnitt [libdefaults] der Datei krb5.conf enthaltenen Profil der " +"systemweiten Konfiguration bezogen. Der Name der Option ist " +"default_ccache_name. Im Abschnitt PARAMETER EXPANSION der Handbuchseite zu " +"krb5.conf(5) finden Sie zusätzliche Informationen zu dem in krb5.conf " +"definierten Format." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Voreinstellung: (aus libkrb5)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" -msgstr "" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (Ganzzahl)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:243 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" +"Zeitüberschreitung in Sekunden, nach der eine Online-Anfrage zur " +"Authentifizierung oder Passwortänderung gescheitert ist. Falls möglich, wird " +"die Authentifizierung offline fortgesetzt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (Boolesch)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:257 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -"Optional. Diese Option teilt SSSD mit, dass es den Active-Directory-DNS-" -"Server mit der IP-Adresse dieses Clients aktualisieren soll. Die " -"Aktualisierung wird mittels GSS-TSIG abgesichert. Infolgedessen muss der " -"Active-Directory-Verwalter nur sichere Aktualisierungen für die DNS-Zone " -"erlauben. Die IP-Adresse der AD-LDAP-Verbindung wird für die " -"Aktualisierungen verwendet, falls sie nicht anderweitig mittels der Option " -"»dyndns_iface« angegeben wurde." +"prüft mit Hilfe von »krb5_keytab«, ob das erhaltene TGT keine Täuschung ist. " +"Die Einträge der Keytab werden der Reihe nach kontrolliert und der erste " +"Eintrag mit einem passenden Realm wird für die Überprüfung benutzt. Falls " +"keine Einträge dem Realm entsprechen, wird der letzte Eintrag der Keytab " +"verwendet. Dieser Prozess kann zur Überprüfung von Umgebungen mittels Realm-" +"übergreifendem Vertrauen benutzt werden, indem der dazugehörige Keytab-" +"Eintrag als letzter oder einziger Eintrag in der Keytab-Datei abgelegt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" -msgstr "Voreinstellung: 3600 (Sekunden)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#: sssd-krb5.5.xml:275 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" +"der Speicherort der Keytab, der bei der Überprüfung von Berechtigungen " +"benutzt wird, die von Schlüsselverwaltungszentralen (KDCs) stammen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Voreinstellung: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Voreinstellung: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (Boolesch)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " -"example.com auf eine der Domains im Abschnitt <replaceable>[sssd]</" -"replaceable> gesetzt ist. Dieses Beispiel zeigt nur die anbieterspezifischen " -"Optionen von AD." +"speichert das Passwort des Benutzers, falls der Anbieter offline ist, und " +"benutzt es zur Abfrage des TGTs, wenn der Anbieter wieder online geht." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"HINWEIS: Diese Funktionalität ist nur auf Linux verfügbar. Passwörter, die " +"auf diese Weise gespeichert wurden, werden im Klartext im Schlüsselbund des " +"Kernels aufbewahrt. Darauf kann unter Umständen (mit Mühe) durch den " +"Benutzer Root zugegriffen werden." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" -msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -"Der AD-Zugriffssteuerungsanbieter prüft, ob das Konto erloschen ist. Es hat " -"dieselben Auswirkungen wie die folgende Konfiguration des LDAP-Anbieters: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"fordert ein erneuerbares Ticket mit einer Gesamtlebensdauer an. Es wird als " +"Ganzzahl, der direkt eine Zeiteinheit folgt, angegeben:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 -msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> für Sekunden" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> für Minuten" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> für Stunden" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> für Tage" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" +"Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" +"HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die erneuerbare " +"Lebensdauer auf eineinhalb Stunden zu setzen, verwenden Sie »90m« statt " +"»1h30m«." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Voreinstellung: nicht gesetzt, d.h. das TGT ist nicht erneuerbar." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" -msgstr "Sudo mit dem SSSD-Backend konfigurieren" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -"Diese Handbuchseite beschreibt, wie <citerefentry> <refentrytitle>sudo</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> konfiguriert wird, " -"damit es zusammen mit <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> funktioniert und wie SSSD Sudo-" -"Regeln zwischenspeichert." +"Anforderungsticket mit einer Lebensdauer, angegeben als Ganzzahl, der direkt " +"eine Zeiteinheit folgt:" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "Sudo so konfigurieren, dass es mit SSSD zusammenarbeitet" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" +"Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -"Um SSSD als eine Quelle von Sudo-Regeln zu aktivieren, fügen Sie dem Eintrag " -"<emphasis>sudoers</emphasis> in <citerefentry> <refentrytitle>nsswitch.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <emphasis>sss</" -"emphasis> hinzu." +"HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die Lebensdauer auf " +"eineinhalb Stunden zu setzen, verwenden Sie »90m« statt »1h30m«." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -"Um zum Beispiel Sudo so zu konfigurieren, dass es zuerst die Regeln in der " -"Standarddatei <citerefentry> <refentrytitle>sudoers</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> nachschlägt (diese sollten Regeln " -"umfassen, die für lokale Benutzer gelten) und dann die in SSSD, sollte die " -"Datei »nsswitch.conf« die folgende Zeile enthalten:" +"Voreinstellung: nicht gesetzt, d.h. die Standardlebenszeit des Tickets auf " +"der Schlüsselverwaltungszentrale (KDC)" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -"Weitere Informationen über die Konfiguration der Suchreihenfolge der " -"»sudoers« aus der Datei »nsswitch.conf« sowie das LDAP-Schema, das zum " -"Speichern von Sudo-Regeln im Verzeichnis benutzt wird, können Sie unter " -"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> finden." +"die Zeit in Sekunden zwischen zwei Prüfungen, ob das TGT erneuert werden " +"soll. TGTs werden erneuert, wenn ungefähr die Hälfte ihrer Lebensdauer " +"überschritten ist. Sie wird als Ganzzahl, der unmittelbar eine Zeiteinheit " +"folgt, angegeben:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 -msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -"<emphasis>Hinweis</emphasis>: Um Netzgruppen oder IPA-Hostgruppen in sudo-" -"Regeln verwenden zu können, muss <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> korrekt auf den entsprechenden NIS-Domainnamen gesetzt werden. " -"Dieser entspricht dem IPA-Domainnamen, wenn Hostgruppen verwendet werden." +"Falls diese Option nicht oder auf 0 gesetzt ist, wird die automatische " +"Erneuerung deaktiviert." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "SSSD zum Abrufen von Sudo-Regeln konfigurieren" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -"Alle auf der SSSD-Seite erforderliche Konfiguration ist die Erweiterung der " -"Liste der <emphasis>Dienste</emphasis> mit \"sudo\" im Abschnitt [sssd] der " -"Handbuchseite zu <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>. Um LDAP-Suchvorgänge zu " -"beschleunigen, können Sie auch die Suchbasis für sudo-Regeln mit der Option " -"<emphasis>ldap_sudo_search_base</emphasis> festlegen." +"Schaltet das flexible Authentifizierungs-Sicherheits-Tunneln (FAST) für die " +"Vorauthentifizierung von Kerberos ein. Die folgenden Optionen werden " +"unterstützt:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -"Das folgende Beispiel zeigt, wie SSSD konfiguriert wird, damit es die Sudo-" -"Regeln von einem LDAP-Server herunterlädt." +"<emphasis>never</emphasis>: FAST wird nie benutzt. Dies ist so, als ob diese " +"Einstellung gar nicht gemacht würde." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"<emphasis>try</emphasis>: Es wird versucht, FAST zu benutzen. Falls der " +"Server kein FAST unterstützt, fährt die Authentifizierung ohne fort." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" +"<emphasis>demand</emphasis>: Fragt nach, ob FAST benutzt werden soll. Die " +"Authentifizierung schlägt fehl, falls der Server kein FAST erfordert." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "HINWEIS: Zur Benutzung von FAST ist eine Keytab erforderlich." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" +"HINWEIS: SSSD unterstützt FAST nur mit MIT-Kerberos-Version 1.8 und neuer. " +"Falls SSSD mit einer älteren Version von MIT-Kerberos benutzt wird, ist die " +"Verwendung dieser Option ein Konfigurationsfehler." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "Der Zwischenspeichermechanismus für Sudo-Regeln" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "gibt den Server-Principal zur Benutzung von FAST an." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -"Die größte Herausforderung bei der Entwicklung von Sudo-Unterstützung in " -"SSSD war es, sicherzustellen, dass beim Ausführen von Sudo mit SSSD die " -"Datenquelle dieselbe Benutzererfahrung bereitstellt und so schnell wie Sudo " -"ist, aber weiterhin so viele aktuelle Regelsätze wie möglich bereitstellt. " -"Um diesen Anforderungen zu genügen, verwendet SSSD drei Arten von " -"Aktualisierungen. Sie werden als vollständiges Aktualisieren, kluges " -"Aktualisieren und Regelaktualisierung bezeichnet." +"gibt an, ob der Rechner und User-Principal in die kanonische Form gebracht " +"werden sollen. Diese Funktionalität ist mit MIT-Kerberos 1.7 und neueren " +"Versionen verfügbar." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -"Das <emphasis>kluge Aktualisieren</emphasis> lädt periodisch Regeln " -"herunter, die neu sind oder seit der letzten Aktualisierung geändert wurden. " -"Das Hauptziel hierbei ist es, die Datenbank anwachsen zu lassen, indem nur " -"kleine Erweiterungen abgerufen werden, die keinen großen Netzwerkverkehr " -"erzeugen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -"Das <emphasis>vollständige Aktualisieren</emphasis> löscht einfach alle im " -"Zwischenspeicher abgelegten Regeln und ersetzt sie durch die auf dem Server " -"gespeicherten Regeln. Dies wird benutzt, um den Zwischenspeicher dadurch " -"konsistent zu halten, dass jede von Server gelöschte Regel entfernt wird. " -"Ein vollständiges Aktualisieren kann jedoch eine hohe Last erzeugen und " -"sollte daher nur gelegentlich abhängig von der Größe und Stabilität der Sudo-" -"Regeln ausgeführt werden." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -"Die <emphasis>Regelaktualisierung</emphasis> stellt sicher, dass dem " -"Benutzer nicht mehr Rechte als definiert gewährt werden. Es wird jedesmal " -"ausgelöst, wenn der Benutzer Sudo ausführt. Regelaktualisierung wird alle " -"Regeln suchen, die für diesen Benutzer gelten, ihren Ablaufzeitpunkt prüfen " -"und sie erneut herunterladen, falls sie erloschen sind. Im Fall, dass " -"irgendwelche der Regeln auf dem Server fehlen, wird SSSD außer der Reihe ein " -"vollständiges Aktualisieren durchführen, da möglicherweise weitere Regeln " -"(die für andere Benutzer gelten) gelöscht wurden." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " +#| "more information on the locator plugin." msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -"SSSD wird, falls aktiviert, nur Regeln speichern, die auf diese Maschine " -"angewandt werden können. Das bedeutet, Regeln, die einen der folgenden Werte " -"im Attribut <emphasis>sudoHost</emphasis> enthalten:" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "Schlüsselwort ALL" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "Platzhalter" +"Weitere Informationen über die Locator-Erweiterung finden Sie auf der " +"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" -msgstr "Netzgruppe (in der Form »+Netzgruppe«)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" -msgstr "Rechnername oder voll qualifizierter Domain-Namen dieser Maschine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (Boolesch)" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" -msgstr "eine der IP-Adressen dieser Maschine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" +"gibt an, ob der User Principal als Enterprise Principal betrachtet werden " +"soll. Weitere Informationen über Enterprise Principals finden Sie in " +"Abschnitt 5 von RFC 6806." -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" -msgstr "eine der IP-Adressen des Netzwerks (in der Form »Adresse/Maske«)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "Voreinstellung: falsch (AD-Anbieter: wahr)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -"Es gibt viele Konfigurationsoptionen, die benutzt werden können, um das " -"Verhalten anzupassen. Bitte lesen Sie »ldap_sudo_*« in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> und \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "System Security Services Daemon (Systemsicherheitsdienst-Daemon)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -"<command>SSSD</command> stellt einen Satz Daemons bereit, um den Zugriff auf " -"ferne Verzeichnisse und Authentifizierungsmechanismen zu verwalten. Es " -"bietet eine NSS- und PAM-Schnittstelle zum System und ein erweiterbares " -"Backend-System zum Verbinden mit mehreren unterschiedlichen Kontenquellen " -"sowie der D-Bus-Schnittstelle. Es bildet außerdem die Grundlage für das " -"Bereitstellen von Client-Überprüfungen und Richtliniendiensten für Projekte " -"wie FreeIPA. Es stellt eine robustere Datenbank bereit, um lokale Benutzer " -"sowie erweiterte Benutzerdaten zu speichern." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>STUFE</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>Modus</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<emphasis>1</emphasis>: Den Debug-Nachrichten wird ein Zeitstempel " -"hinzugefügt." +"Falls das Authentifizierungsmodul Krb5 in einer SSSD-Domain benutzt wird, " +"müssen die folgenden Optionen verwendet werden. Einzelheiten über die " +"Konfiguration einer SSSD-Domain finden Sie im Abschnitt »DOMAIN-ABSCHNITTE« " +"der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. <placeholder type=\"variablelist\" " +"id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -"<emphasis>0</emphasis>: Zeitstempel in Debug-Nachrichten werden deaktiviert." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>Modus</replaceable>" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert wurde " +"und FOO eine der Domains im Abschnitt <replaceable>[sssd]</replaceable> ist. " +"Dieses Beispiel zeigt nur die Authentifizierung mit Kerberos, sie umfasst " +"keine Identitätsanbieter." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -"<emphasis>1</emphasis>: Dem Zeitstempel in Debug-Nachrichten werden " -"Millisekunden hinzugefügt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" -msgstr "" -"<emphasis>0</emphasis>: Millisekunden werden in Zeitstempeln deaktiviert" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "erstellt eine neue Gruppe" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"sendet die Ausgabe der Fehlersuche in Dateien statt auf die " -"Standardfehlerausgabe. Standardmäßig werden die Protokolldateien in " -"<filename>/var/log/sssd</filename> gespeichert. Dort gibt es separate " -"Protokolldateien für jeden SSSD-Dienst und jede Domain." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" +"<command>sss_groupadd</command> erstellt eine neue Gruppe. Diese Gruppen " +"sind kompatibel mit POSIX-Gruppen mit der zusätzlichen Funktionalität, dass " +"sie andere Gruppen als Mitglieder enthalten können." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#: sss_groupadd.8.xml:48 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"setzt die GID der Gruppe auf den Wert von <replaceable>GID</replaceable>. " +"Wurde der Wert nicht angegeben, wird er automatisch ausgewählt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 -msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "löscht ein Benutzerkonto" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "wird nach dem Start ein Daemon." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "läuft im Vordergrund und wird kein Daemon." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> löscht einen Benutzer, der durch den " +"Anmeldenamen <replaceable>ANMELDUNG</replaceable> vom System erkannt wird." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#: sss_userdel.8.xml:48 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"gibt eine Konfigurationsdatei an, die nicht Standard ist. Die Voreinstellung " -"ist <filename>/etc/sssd/sssd.conf</filename>. Auskunft über die Syntax und " -"Optionen der Konfigurationsdatei finden Sie in der Handbuchseite " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"Dateien im Home-Verzeichnis des Benutzers werden zusammen mit dem Home-" +"Verzeichnis selbst und der Mail-Warteschlange des Benutzers entfernt. Dies " +"setzt die Konfiguration außer Kraft." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" -msgstr "" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#: sss_userdel.8.xml:60 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" +"Dateien im Home-Verzeichnis des Benutzers werden NICHT zusammen mit dem Home-" +"Verzeichnis selbst und der Mail-Warteschlange des Benutzers entfernt. Dies " +"setzt die Konfiguration außer Kraft." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" -msgstr "" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_userdel.8.xml:72 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" +"Diese Option erzwingt, dass <command>sss_userdel</command> das Home-" +"Verzeichnis des Benutzers und die Mail-Warteschlange sogar dann entfernt, " +"wenn sie dem angegebenen Nutzer nicht gehören." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "gibt die Versionsnummer aus und beendet sich." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" +"beendet, bevor der Benutzer tatsächlich gelöscht wird, alle seine Prozesse." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Signale" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "löscht eine Gruppe" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"Informiert SSSD, dass es anstandslos alle Kindprozesse beenden und dann das " -"Überwachungsprogramm herunterfahren soll." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -"teilt SSSD mit, dass es das Schreiben des aktuellen Dateideskriptors zur " -"Fehlersuche stoppen, ihn schließen und erneut öffnen soll. Dies ist dazu " -"gedacht, das Rotieren von Protokolldateien mit Programmen wie Logrotate zu " -"erleichtern." +"<command>sss_groupdel</command> löscht eine Gruppe namens " +"<replaceable>GRUPPE</replaceable> vom System." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "gibt die Eigenschaften einer Gruppe aus." + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" +"<command>sss_groupshow</command> zeigt Informationen über eine Gruppe namens " +"<replaceable>GRUPPE</replaceable> an. Die Informationen umfassen die Gruppen-" +"ID-Nummer, Mitglieder der Gruppe, sowie die übergeordnete Gruppe." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -"Falls die Umgebungsvariable SSS_NSS_USE_MEMCACHE auf »NO« gesetzt ist, " -"nutzen Client-Anwendungen den schnellen speicherinternen Zwischenspeicher " -"nicht." +"gibtt auch indirekte Gruppenmitglieder in einer baumartigen Hierarchie aus. " +"Beachten Sie, dass dies auch die Ausgabe der übergeordneten Gruppen " +"beeinflusst – ohne <option>R</option> werden nur die unmittelbar " +"übergeordneten Gruppen ausgegeben." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "verschleiert ein Klartextpasswort" +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "ändert ein Benutzerkonto" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORT]</" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" "replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_usermod.8.xml:32 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"<command>sss_obfuscate</command> wandelt ein angegebenes Passwort in ein von " -"Menschen nicht lesbares Format um und legt es in einem geeigneten Domain-" -"Abschnitt der SSSD-Konfigurationsdatei ab." +"<command>sss_usermod</command> ändert das durch <replaceable>ANMELDUNG</" +"replaceable> angegebene Konto, damit es die auf der Befehlszeile angegebenen " +"Änderungen widerzuspiegelt." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "das Home-Verzeichnis des Benutzerkontos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "die Anmelde-Shell des Benutzers" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -"Das Klartextpasswort wird von der Standardeingabe gelesen oder interaktiv " -"eingegeben. Das verschleierte Passwort wird in den Parameter " -"»ldap_default_authtok« einer angegebenen SSSD-Domain abgelegt und der " -"Parameter »ldap_default_authtok_type« wird auf »obfuscated_password« " -"gesetzt. Weitere Einzelheiten über diese Parameter finden Sie unter " -"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"hängt diesen Benutzer an die Gruppen an, die durch den Parameter " +"<replaceable>GRUPPEN</replaceable> angegeben werden. Der Parameter " +"<replaceable>GRUPPEN</replaceable> ist eine durch Kommata getrennte Liste " +"von Gruppennamen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -"Bitte beachten Sie, dass das Verschleiern von Passwörtern <emphasis>keinen " -"wirklichen Sicherheitsgewinn</emphasis> bietet, da es einem Angreifer immer " -"noch möglich ist, das Passwort wieder herzuleiten. Es wird " -"<emphasis>dringend</emphasis> geraten, bessere Authentifizierungsmechanismen " -"wie Client-seitige Zertifikate oder GSSAPI zu verwenden." +"entfernt diesen Benutzer aus Gruppen, die durch den Parameter " +"<replaceable>GRUPPEN</replaceable> angegeben werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -"Das Passwort, das verschleiert werden soll, wird von der Standardeingabe " -"gelesen." +"sperrt das Benutzerkonto. Der Benutzer wird sich nicht anmelden können." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" -msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." -msgstr "" -"die SSSD-Domain, in der das Passwort benutzt wird. Der Standardname ist " -"»default«." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "entsperrt das Benutzerkonto." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "der SELinux-Benutzer für die Anmeldung des Anwenders" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--addattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Ein Attribut/Wert-Paar hinzufügen. Das Format ist Attributname=Wert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--setattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>DATEI</replaceable>" +"Ein Attribut auf ein Name/Wert-Paar setzen. Das Format ist " +"Attributname=Wert. Bei Attributen mit mehreren Werten ersetzt der Befehl die " +"bereits vorhandenen Werte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." -msgstr "liest die durch den Positionsparameter angegebene Konfigurationsdatei." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--delattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "Voreinstellung: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Ein Attribut/Wert-Paar löschen. Das Format ist Attributname=Wert." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "führt eine Bereinigung des Zwischenspeichers durch." #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#: sss_cache.8.xml:31 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:53 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>Anmeldung</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." -msgstr "" +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "annulliert einen bestimmten Benutzer." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:68 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" +"annulliert alle Benutzerdatensätze. Diese Option setzt das Annullieren " +"bestimmter Benutzer außer Kraft, falls es ebenfalls gesetzt war." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:75 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>Gruppe</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." -msgstr "" +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "annulliert eine bestimmte Gruppe." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." -msgstr "" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" +"annulliert alle Gruppendatensätze. Diese Option setzt das Annullieren " +"bestimmter Gruppen außer Kraft, falls es ebenfalls gesetzt war." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>Netzgruppe</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" -msgstr "" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "annulliert eine bestimmte Netzgruppe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:112 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" +"annulliert alle Netzgruppendatensätze. Diese Option setzt das Annullieren " +"bestimmter Netzgruppen außer Kraft, falls es ebenfalls gesetzt war." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>Dienst</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "" +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "annulliert einen bestimmten Dienst." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" -msgstr "" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:134 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" +"annulliert alle Dienstdatensätze. Diese Option setzt das Annullieren " +"bestimmter Dienste außer Kraft, falls es ebenfalls gesetzt war." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:141 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>Autofs-" +"Abbildung</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." -msgstr "" +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "annulliert eine bestimmte Autofs-Abbildung." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_cache.8.xml:156 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" +"annulliert alle Autofs-Abbildungen. Diese Option setzt das Annullieren " +"bestimmter Abbildungen außer Kraft, falls es ebenfalls gesetzt war." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_cache.8.xml:163 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_cache.8.xml:201 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>Domain</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" -msgstr "" +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "begrenzt den Annullierungsprozess auf eine bestimmte Domain." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEUE_DEBUG_STUFE</" +"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "erstellt einen neuen Benutzer" +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "füllt den SSSD-Zwischenspeicher mit einem Benutzer" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_seed.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" "arg>" msgstr "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>BENUTZER</" "replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_seed.8.xml:33 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" -"<command>sss_useradd</command> erstellt mittels der auf der Befehlszeile " -"angegebenen Werte sowie der Standardwerte des Systems ein neues " -"Benutzerkonto." +"<command>sss_seed</command> füllt den SSSD-Zwischenspeicher mit einem " +"Benutzereintrag und einem temporären Passwort. Falls bereits ein " +"Benutzereintrag im SSSD-Zwischenspeicher vorhanden ist, wird der Eintrag mit " +"dem temporären Passwort aktualisiert." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +#: sss_seed.8.xml:46 msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" - +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sss_seed.8.xml:51 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" -"setzt die UID des Benutzers auf den Wert von <replaceable>UID</replaceable>. " -"Wurde der Wert nicht angegeben, wird er automatisch ausgewählt." +"stellt den Namen der Doamin bereit, in der der Benutzer Mitglied ist. Die " +"Domain wird auch zur Abfrage von Benutzerinformationen verwendet. Sie muss " +"in der »sssd.conf« konfiguriert sein. Die Option <replaceable>DOMAIN</" +"replaceable> muss bereitgestellt werden. Von der Domain geholte " +"Informationen setzen das, was in den Optionen bereitgestellt wurde, außer " +"Kraft." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#: sss_seed.8.xml:63 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>KOMMENTAR</" +"<option>-n</option>,<option>--username</option> <replaceable>BENUTZER</" "replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sss_seed.8.xml:68 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" -"irgendeine Zeichenkette, die den Benutzer beschreibt. Dieses Feld wird oft " -"für den vollständigen Namen des Benutzers verwendet." +"der Benutzername des Eintrags, der im Zwischenspeicher erstellt oder " +"verändert werden soll. Die Option <replaceable>BENUTZER</replaceable> muss " +"bereitgestellt werden." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" -msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_VERZ</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "setzt die UID des Benutzers auf <replaceable>UID</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "setzt die GID des Benutzers auf <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" -"das Home-Verzeichnis des Benutzerkontos. Standardmäßig wird der Name für die " -"<replaceable>ANMELDUNG</replaceable> an <filename>/home</filename> angehängt " -"und dies dann als Home-Verzeichnis benutzt. Das Basisverzeichnis, das " -"<replaceable>ANMELDUNG</replaceable> vorangestellt wird, ist über die " -"Einstellung »user_defaults/baseDirectory« in der »sssd.conf« einstellbar." +"setzt das Home-Verzeichnis des Benutzers auf <replaceable>HOME_VERZ</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"setzt die Anmelde-Shell des Benutzers auf <replaceable>SHELL</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#: sss_seed.8.xml:140 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" -"die Anmelde-Shell des Benutzers. Voreinstellung ist derzeit <filename>/bin/" -"bash</filename>. Die Voreinstellung kann über die Einstellung »user_defaults/" -"defaultShell« in der »sssd.conf« geändert werden." +"interaktiver Modus zur Eingabe von Benutzerinformationen. Diese Option wird " +"nur nach Informationen fragen, die nicht von den Optionen bereitgestellt " +"oder in der Domain geholt werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#: sss_seed.8.xml:148 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" "replaceable>" msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>GRUPPEN</" -"replaceable>" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>PASSWORTDATEI</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "eine Liste existierender Gruppen, denen dieser Benutzer auch angehört" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"gibt die Datei an, aus der das Passwort des Benutzers gelesen wird (ist es " +"nicht angegeben, wird nach dem Passwort gefragt)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -"erstellt das Home-Verzeichnis des Benutzers, falls es nicht existiert. Die " -"Dateien und Verzeichnisse, die in der Verzeichnisvorlage (die mit der Option " -"-k oder in der Konfigurationsdatei definiert werden kann) enthalten sind, " -"werden in das Home-Verzeichnis kopiert." +"Die Länge des Passworts (oder die Größe der mit der Option -p oder --" +"password-file angegebenen Datei) muss kleiner oder gleich PASS_MAX Byte sein " +"(64 Byte auf Systemen ohne global definiertem Wert für PASS_MAX)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "SSSD InfoPipe-Responder" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"erstellt nicht das Home-Verzeichnis des Benutzers und setzt " -"Konfigurationseinstellungen außer Kraft." +"Diese Handbuchseite beschreibt die Konfiguration des InfoPipe-Responders für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine detaillierte Syntaxreferenz finden Sie im Abschnitt " +"<quote>DATEIFORMAT</quote> in der Handbuchseite zu <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKEL-VERZ</" -"replaceable>" +"Der InfoPipe-Responder stellt eine öffentliche D-Bus-Schnittstelle bereit, " +"auf die über den Systembus zugegriffen werden kann. Die Schnittstelle " +"ermöglicht die Abfrage von Informationen zu entfernten Benutzern und Gruppen " +"über den Systembus." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" -"die Verzeichnisvorlage mit Dateien und Verzeichnissen, die in das durch " -"<command>sss_useradd</command> neu erstellte Home-Verzeichnis des Benutzers " -"kopiert werden." +"Diese Optionen können zur Konfiguration des InfoPipe-Responders verwendet " +"werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#: sssd-ifp.5.xml:53 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -"Spezialdateien (block- und zeichenorientierte Geräte, benannte Pipes und " -"Unix-Sockets) werden nicht kopiert." +"Gibt eine durch Kommata getrennte Liste der Benutzer-ID-Werte oder " +"Benutzernamen an, denen der Zugriff auf den InfoPipe-Responder erlaubt ist. " +"Benutzernamen werden beim Start in Benutzer-IDs aufgelöst." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:59 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -"Diese Option ist nur gültig, falls die Option <option>-m</option> (oder " -"<option>--create-home</option>) angegeben wurde oder das Erstellen von Home-" -"Verzeichnissen in der Konfiguration auf »TRUE« gesetzt ist." +"Voreinstellung: 0 (nur der Benutzer »root« darf auf den InfoPipe-Responder " +"zugreifen)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_BENUTZER</replaceable>" +"Beachten Sie, dass trotz der Verwendung der Benutzer-ID 0 als Voreinstellung " +"diese durch die Option überschrieben wird. Falls Sie wollen, dass dem Root-" +"Benutzer der Zugriff auf den InfoPipe-Responder gewährt werden soll, was der " +"typische Fall ist, müssen Sie 0 ebenfalls zur Liste der erlaubten Benutzer-" +"IDs hinzufügen." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 -msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -"der SELinux-Benutzer für die Anmeldung des Benutzers. Ist er nicht " -"angegeben, wird die Voreinstellung des Systems benutzt." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +"Gibt eine durch Kommata getrennte Liste der auf die weiße (erlaubt) " +"beziehungsweise schwarze Liste (blockiert) gesetzten Attribute an." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" -msgstr "SSSD Kerberos-Anbieter" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." -msgstr "" -"Diese Handbuchseite beschreibt die Konfiguration des Authentifizierungs-" -"Backends Kerberos 5 für <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Eine ausführliche Syntax-Referenz " -"finden Sie im Abschnitt »DATEIFORMAT« der Handbuchseite <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "Anmeldename des Benutzers" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 -msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." -msgstr "" -"Das Authentifizierungs-Backend Kerberos 5 enthält Authentifizierungs- und " -"Chpass-Anbieter. Es muss mit einem Identitätsanbieter verbunden werden, " -"damit es sauber läuft (zum Beispiel »id_provider = ldap«). Einige vom " -"Kerberos-5-Authentifizierungs-Backend benötigten Informationen wie der " -"»Kerberos Principal Name« (UPN) des Benutzers müssen durch den " -"Identitätsanbieter bereitgestellt werden. Die Konfiguration des " -"Identitätsanbieters sollte einen Eintrag haben, der den UPN angibt. " -"Einzelheiten, wie dies konfiguriert wird, finden Sie in der Handbuchseite " -"des entsprechenden Identitätsanbieters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." -msgstr "" -"Dieses Backend stellt ebenso eine Zugriffssteuerung bereit, die auf der " -"Datei .k5login im Home-Verzeichnis des Benutzers basiert. Weitere " -"Einzelheiten finden Sie unter <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Bitte beachten Sie, " -"dass eine leere .k5login-Datei jegliche Zugriffe durch diesen Benutzer " -"verbietet. Verwenden Sie »access_provider = krb5« in Ihrer SSSD-" -"Konfiguration, um diese Funktionalität zu aktivieren." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "Benutzer-ID" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "primäre Gruppen-ID" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "Benutzerinformation, typischerweise der vollständige Name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "Benutzershell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -"Im Fall, dass UPN nicht im Identitäts-Backend verfügbar ist, wird " -"<command>sssd</command> mittels des Formats <replaceable>Benutzername</" -"replaceable>@<replaceable>Krb5_Realm</replaceable> einen UPN konstruieren." +"In der Voreinstellung erlaubt der InfoPipe-Responder nur die Abfrage des " +"Standardsatzes an POSIX-Attributen. Dieser Satz ist der gleiche, wie er von " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> zurückgegeben wird und enthält Folgendes: " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -"gibt eine durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen " -"der Kerberos-Server in der Reihenfolge an, in der sich SSSD mit ihnen " -"verbinden soll. Weitere Informationen über Ausfallsicherung und Redundanz " -"finden Sie im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder " -"Rechnernamen kann eine optionale Portnummer (der ein Doppelpunkt " -"vorangestellt ist) angehängt werden. Falls dies leer gelassen wurde, wird " -"die Dienstsuche aktiviert. Weitere Informationen finden Sie im Abschnitt " -"»DIENSTSUCHE«." +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"der Name des Kerberos-Realms. Diese Option wird benötigt und muss angegeben " -"werden." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (Zeichenkette)" +"Es ist möglich, ein weiteres Attribut zu diesem Satz hinzuzufügen, indem Sie " +"<quote>+attr_name</quote> verwenden. Explizit entfernen lässt sich ein " +"Attribut mit <quote>-attr_name</quote>. Um beispielsweise " +"<quote>telephoneNumber</quote> zu erlauben, aber <quote>loginShell</quote> " +"abzuweisen, können Sie folgende Konfiguration verwenden: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -"Falls der Dienst zum Ändern von Passwörtern auf der " -"Schlüsselverwaltungszentrale (KDC) nicht läuft, können hier alternative " -"Server definiert werden. An die Adressen oder Rechnernamen kann eine " -"optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt " -"werden." +"Voreinstellung: Nicht gesetzt. Nur der Standardsatz an POSIX-Attributen ist " +"erlaubt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -"Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im " -"Abschnitt »AUSFALLSICHERUNG«. HINWEIS: Selbst wenn es keine weiteren " -"»kpasswd«-Server mehr auszuprobieren gibt, wird das Backend nicht offline " -"gehen, da eine Authentifizierung gegen die Schlüsselverwaltungszentrale " -"(KDC) immer noch möglich ist." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Voreinstellung: KDC benutzen" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -"Das Verzeichnis zum Ablegen von Anmeldedaten-Zwischenspeichern. Alle " -"Ersetzungssequenzen von krb5_ccname_template können hier auch verwendet " -"werden, außer %d und %P. Das Verzeichnis wird als privat angelegt und ist " -"Eigentum des Benutzers. Die Zugriffsrechte werden auf 0700 gesetzt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Voreinstellung: /tmp" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (Zeichenkette)" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "Anmeldename" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "Anmelde-UID" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "Principal-Name" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "Realm-Name" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "Home-Verzeichnis" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" -msgstr "Wert von krb5_ccachedir" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" -msgstr "die Prozess-ID des SSSD-Clients" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "ein buchstäbliches »%«" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 -msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -"Der Ort für die Zwischenspeicherung der Anmeldedaten des Benutzers. Drei " -"Zwischenspeichertypen werden derzeit unterstützt: <quote>FILE</quote>, " -"<quote>DIR</quote> und <quote>KEYRING:persistent</quote>. Der " -"Zwischenspeicher kann entweder als <replaceable>TYP:REST</replaceable> oder " -"als absoluter Pfad angegeben werden, wobei Letzteres den Typ <quote>FILE</" -"quote> beinhaltet. In der Schablone werden die folgenden Sequenzen ersetzt: " -"<placeholder type=\"variablelist\" id=\"0\"/> Falls die Vorlage mit »XXXXXX« " -"endet, wird mkstemp(3) verwendet, um auf sichere Weise einen eindeutigen " -"Dateinamen zu erzeugen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 -msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -"Wenn der KEYRING-Typ verwendet wird, ist <quote>KEYRING:persistent:%U</" -"quote> der einzige unterstützte Mechanismus. Hierfür wird der Schlüsselbund " -"des Linux-Kernels zum Speichern der Anmeldedaten getrennt nach Benutzer-IDs " -"verwendet. Dies wird auch empfohlen, da es die sicherste und " -"vorausberechenbarste Methode ist." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -"Der Vorgabewert für den Anmeldedaten-Zwischenspeicher wird aus dem im " -"Abschnitt [libdefaults] der Datei krb5.conf enthaltenen Profil der " -"systemweiten Konfiguration bezogen. Der Name der Option ist " -"default_ccache_name. Im Abschnitt PARAMETER EXPANSION der Handbuchseite zu " -"krb5.conf(5) finden Sie zusätzliche Informationen zu dem in krb5.conf " -"definierten Format." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 -msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" -msgstr "Voreinstellung: (aus libkrb5)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -"Zeitüberschreitung in Sekunden, nach der eine Online-Anfrage zur " -"Authentifizierung oder Passwortänderung gescheitert ist. Falls möglich, wird " -"die Authentifizierung offline fortgesetzt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -"prüft mit Hilfe von »krb5_keytab«, ob das erhaltene TGT keine Täuschung ist. " -"Die Einträge der Keytab werden der Reihe nach kontrolliert und der erste " -"Eintrag mit einem passenden Realm wird für die Überprüfung benutzt. Falls " -"keine Einträge dem Realm entsprechen, wird der letzte Eintrag der Keytab " -"verwendet. Dieser Prozess kann zur Überprüfung von Umgebungen mittels Realm-" -"übergreifendem Vertrauen benutzt werden, indem der dazugehörige Keytab-" -"Eintrag als letzter oder einziger Eintrag in der Keytab-Datei abgelegt wird." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 -msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -"der Speicherort der Keytab, der bei der Überprüfung von Berechtigungen " -"benutzt wird, die von Schlüsselverwaltungszentralen (KDCs) stammen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Voreinstellung: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -"speichert das Passwort des Benutzers, falls der Anbieter offline ist, und " -"benutzt es zur Abfrage des TGTs, wenn der Anbieter wieder online geht." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -"HINWEIS: Diese Funktionalität ist nur auf Linux verfügbar. Passwörter, die " -"auf diese Weise gespeichert wurden, werden im Klartext im Schlüsselbund des " -"Kernels aufbewahrt. Darauf kann unter Umständen (mit Mühe) durch den " -"Benutzer Root zugegriffen werden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"fordert ein erneuerbares Ticket mit einer Gesamtlebensdauer an. Es wird als " -"Ganzzahl, der direkt eine Zeiteinheit folgt, angegeben:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "<emphasis>s</emphasis> für Sekunden" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "SIEHE AUCH" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "<emphasis>m</emphasis> für Minuten" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "<emphasis>h</emphasis> für Stunden" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "<emphasis>d</emphasis> für Tage" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." -msgstr "" -"Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "holt autorisierte OpenSSH-Schlüssel" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -"HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die erneuerbare " -"Lebensdauer auf eineinhalb Stunden zu setzen, verwenden Sie »90m« statt " -"»1h30m«." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>Optionen</replaceable> </arg> <arg " +"choice='plain'><replaceable>BENUTZER</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" -msgstr "Voreinstellung: nicht gesetzt, d.h. das TGT ist nicht erneuerbar." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" +"<command>sss_ssh_authorizedkeys</command> beschafft öffentliche SSH-" +"Schlüssel für den Anwender <replaceable>BENUTZER</replaceable> und gibt sie " +"im OpenSSH-Format »authorized_keys« aus (weitere Informationen finden Sie im " +"Abschnitt »AUTHORIZED_KEYS-DATEIFORMAT« von " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry>)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -"Anforderungsticket mit einer Lebensdauer, angegeben als Ganzzahl, der direkt " -"eine Zeiteinheit folgt:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -"Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -"HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die Lebensdauer auf " -"eineinhalb Stunden zu setzen, verwenden Sie »90m« statt »1h30m«." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -"Voreinstellung: nicht gesetzt, d.h. die Standardlebenszeit des Tickets auf " -"der Schlüsselverwaltungszentrale (KDC)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" -msgstr "krb5_renew_interval (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -"die Zeit in Sekunden zwischen zwei Prüfungen, ob das TGT erneuert werden " -"soll. TGTs werden erneuert, wenn ungefähr die Hälfte ihrer Lebensdauer " -"überschritten ist. Sie wird als Ganzzahl, der unmittelbar eine Zeiteinheit " -"folgt, angegeben:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -"Falls diese Option nicht oder auf 0 gesetzt ist, wird die automatische " -"Erneuerung deaktiviert." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (Zeichenkette)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -"Schaltet das flexible Authentifizierungs-Sicherheits-Tunneln (FAST) für die " -"Vorauthentifizierung von Kerberos ein. Die folgenden Optionen werden " -"unterstützt:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -"<emphasis>never</emphasis>: FAST wird nie benutzt. Dies ist so, als ob diese " -"Einstellung gar nicht gemacht würde." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -"<emphasis>try</emphasis>: Es wird versucht, FAST zu benutzen. Falls der " -"Server kein FAST unterstützt, fährt die Authentifizierung ohne fort." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"<emphasis>demand</emphasis>: Fragt nach, ob FAST benutzt werden soll. Die " -"Authentifizierung schlägt fehl, falls der Server kein FAST erfordert." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." -msgstr "Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt" +"sucht nach öffentlichen Schlüsseln von Benutzern in der SSSD-Domain " +"<replaceable>DOMAIN</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." -msgstr "HINWEIS: Zur Benutzung von FAST ist eine Keytab erforderlich." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "EXIT-STATUS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -"HINWEIS: SSSD unterstützt FAST nur mit MIT-Kerberos-Version 1.8 und neuer. " -"Falls SSSD mit einer älteren Version von MIT-Kerberos benutzt wird, ist die " -"Verwendung dieser Option ein Konfigurationsfehler." +"Im Erfolgsfall ist der Rückgabewert 0, andernfalls wird 1 zurückgegeben." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (Zeichenkette)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." -msgstr "gibt den Server-Principal zur Benutzung von FAST an." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "holt OpenSSH-Rechnerschlüssel" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -"gibt an, ob der Rechner und User-Principal in die kanonische Form gebracht " -"werden sollen. Diese Funktionalität ist mit MIT-Kerberos 1.7 und neueren " -"Versionen verfügbar." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>Optionen</replaceable> </arg> <arg " +"choice='plain'><replaceable>RECHNER</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_BEFEHL</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" +"Falls ein <replaceable>PROXY_BEFEHL</replaceable> angegeben wurde, wird er " +"zum Erstellen der Verbindung mit dem Rechner benutzt, anstatt ein Socket zu " +"öffnen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " -#| "more information on the locator plugin." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> kann durch Verwendung der folgenden Richtlinien für die " +"Konfiguration von <citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> so eingerichtet werden, dass es " +"<command>sss_ssh_knownhostsproxy</command> zur Authentifizierung des " +"Rechnerschlüssels benutzt: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -"Weitere Informationen über die Locator-Erweiterung finden Sie auf der " -"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." +"benutzt Port <replaceable>PORT</replaceable> zur Verbindung mit dem Rechner. " +"Standardmäßig wird Port 22 verwendet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" +"sucht in der SSSD-Domain nach <replaceable>DOMAIN</replaceable> öffentlichen " +"Schlüsseln für den Rechner." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" -msgstr "krb5_use_enterprise_principal (Boolesch)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -"gibt an, ob der User Principal als Enterprise Principal betrachtet werden " -"soll. Weitere Informationen über Enterprise Principals finden Sie in " -"Abschnitt 5 von RFC 6806." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" -msgstr "Voreinstellung: falsch (AD-Anbieter: wahr)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -"Falls das Authentifizierungsmodul Krb5 in einer SSSD-Domain benutzt wird, " -"müssen die folgenden Optionen verwendet werden. Einzelheiten über die " -"Konfiguration einer SSSD-Domain finden Sie im Abschnitt »DOMAIN-ABSCHNITTE« " -"der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>. <placeholder type=\"variablelist\" " -"id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: idmap_sss.8.xml:62 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert wurde " -"und FOO eine der Domains im Abschnitt <replaceable>[sssd]</replaceable> ist. " -"Dieses Beispiel zeigt nur die Authentifizierung mit Kerberos, sie umfasst " -"keine Identitätsanbieter." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "erstellt eine neue Gruppe" +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#: sssctl.8.xml:21 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssctl.8.xml:32 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -"<command>sss_groupadd</command> erstellt eine neue Gruppe. Diese Gruppen " -"sind kompatibel mit POSIX-Gruppen mit der zusätzlichen Funktionalität, dass " -"sie andere Gruppen als Mitglieder enthalten können." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"setzt die GID der Gruppe auf den Wert von <replaceable>GID</replaceable>. " -"Wurde der Wert nicht angegeben, wird er automatisch ausgewählt." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "löscht ein Benutzerkonto" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 +msgid "" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" -"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-files.5.xml:72 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -"<command>sss_userdel</command> löscht einen Benutzer, der durch den " -"Anmeldenamen <replaceable>ANMELDUNG</replaceable> vom System erkannt wird." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" -msgstr "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"Dateien im Home-Verzeichnis des Benutzers werden zusammen mit dem Home-" -"Verzeichnis selbst und der Mail-Warteschlange des Benutzers entfernt. Dies " -"setzt die Konfiguration außer Kraft." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" -msgstr "<option>-R</option>,<option>--no-remove</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 -msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" -"Dateien im Home-Verzeichnis des Benutzers werden NICHT zusammen mit dem Home-" -"Verzeichnis selbst und der Mail-Warteschlange des Benutzers entfernt. Dies " -"setzt die Konfiguration außer Kraft." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" -msgstr "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"Diese Option erzwingt, dass <command>sss_userdel</command> das Home-" -"Verzeichnis des Benutzers und die Mail-Warteschlange sogar dann entfernt, " -"wenn sie dem angegebenen Nutzer nicht gehören." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" -msgstr "<option>-k</option>,<option>--kick</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -"beendet, bevor der Benutzer tatsächlich gelöscht wird, alle seine Prozesse." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "löscht eine Gruppe" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-files.5.xml:132 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -"<command>sss_groupdel</command> löscht eine Gruppe namens " -"<replaceable>GRUPPE</replaceable> vom System." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" -msgstr "gibt die Eigenschaften einer Gruppe aus." - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-files.5.xml:143 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -"<command>sss_groupshow</command> zeigt Informationen über eine Gruppe namens " -"<replaceable>GRUPPE</replaceable> an. Die Informationen umfassen die Gruppen-" -"ID-Nummer, Mitglieder der Gruppe, sowie die übergeordnete Gruppe." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -"gibtt auch indirekte Gruppenmitglieder in einer baumartigen Hierarchie aus. " -"Beachten Sie, dass dies auch die Ausgabe der übergeordneten Gruppen " -"beeinflusst – ohne <option>R</option> werden nur die unmittelbar " -"übergeordneten Gruppen ausgegeben." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "ändert ein Benutzerkonto" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" -"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#: sssd-secrets.5.xml:23 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"<command>sss_usermod</command> ändert das durch <replaceable>ANMELDUNG</" -"replaceable> angegebene Konto, damit es die auf der Befehlszeile angegebenen " -"Änderungen widerzuspiegelt." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "das Home-Verzeichnis des Benutzerkontos" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "die Anmelde-Shell des Benutzers" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -"hängt diesen Benutzer an die Gruppen an, die durch den Parameter " -"<replaceable>GRUPPEN</replaceable> angegeben werden. Der Parameter " -"<replaceable>GRUPPEN</replaceable> ist eine durch Kommata getrennte Liste " -"von Gruppennamen." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." -msgstr "" -"entfernt diesen Benutzer aus Gruppen, die durch den Parameter " -"<replaceable>GRUPPEN</replaceable> angegeben werden." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." -msgstr "" -"sperrt das Benutzerkonto. Der Benutzer wird sich nicht anmelden können." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "entsperrt das Benutzerkonto." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." -msgstr "der SELinux-Benutzer für die Anmeldung des Anwenders" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "<option>--addattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." -msgstr "Ein Attribut/Wert-Paar hinzufügen. Das Format ist Attributname=Wert." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "<option>--setattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Ein Attribut auf ein Name/Wert-Paar setzen. Das Format ist " -"Attributname=Wert. Bei Attributen mit mehreren Werten ersetzt der Befehl die " -"bereits vorhandenen Werte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "<option>--delattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." -msgstr "Ein Attribut/Wert-Paar löschen. Das Format ist Attributname=Wert." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" -msgstr "sss_cache" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" -msgstr "führt eine Bereinigung des Zwischenspeichers durch." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" -msgstr "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -"<option>-u</option>,<option>--user</option> <replaceable>Anmeldung</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "annulliert einen bestimmten Benutzer." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" -msgstr "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -"annulliert alle Benutzerdatensätze. Diese Option setzt das Annullieren " -"bestimmter Benutzer außer Kraft, falls es ebenfalls gesetzt war." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -"<option>-g</option>,<option>--group</option> <replaceable>Gruppe</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "annulliert eine bestimmte Gruppe." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" -"annulliert alle Gruppendatensätze. Diese Option setzt das Annullieren " -"bestimmter Gruppen außer Kraft, falls es ebenfalls gesetzt war." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 -msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>Netzgruppe</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." -msgstr "annulliert eine bestimmte Netzgruppe." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" -msgstr "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 -msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -"annulliert alle Netzgruppendatensätze. Diese Option setzt das Annullieren " -"bestimmter Netzgruppen außer Kraft, falls es ebenfalls gesetzt war." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -"<option>-s</option>,<option>--service</option> <replaceable>Dienst</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "annulliert einen bestimmten Dienst." +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" -msgstr "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:219 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" -"annulliert alle Dienstdatensätze. Diese Option setzt das Annullieren " -"bestimmter Dienste außer Kraft, falls es ebenfalls gesetzt war." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 -msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>Autofs-" -"Abbildung</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." -msgstr "annulliert eine bestimmte Autofs-Abbildung." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" -msgstr "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -"annulliert alle Autofs-Abbildungen. Diese Option setzt das Annullieren " -"bestimmter Abbildungen außer Kraft, falls es ebenfalls gesetzt war." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:260 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 -msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#: sssd-secrets.5.xml:278 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>Domain</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." -msgstr "begrenzt den Annullierungsprozess auf eine bestimmte Domain." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" -msgstr "sss_debuglevel" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 -msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEUE_DEBUG_STUFE</" -"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "sss_seed" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" -msgstr "füllt den SSSD-Zwischenspeicher mit einem Benutzer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>Optionen</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>BENUTZER</" -"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -"<command>sss_seed</command> füllt den SSSD-Zwischenspeicher mit einem " -"Benutzereintrag und einem temporären Passwort. Falls bereits ein " -"Benutzereintrag im SSSD-Zwischenspeicher vorhanden ist, wird der Eintrag mit " -"dem temporären Passwort aktualisiert." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 -msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#: sssd-secrets.5.xml:323 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" -"stellt den Namen der Doamin bereit, in der der Benutzer Mitglied ist. Die " -"Domain wird auch zur Abfrage von Benutzerinformationen verwendet. Sie muss " -"in der »sssd.conf« konfiguriert sein. Die Option <replaceable>DOMAIN</" -"replaceable> muss bereitgestellt werden. Von der Domain geholte " -"Informationen setzen das, was in den Optionen bereitgestellt wurde, außer " -"Kraft." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" -"<option>-n</option>,<option>--username</option> <replaceable>BENUTZER</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#: sssd-secrets.5.xml:335 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" -"der Benutzername des Eintrags, der im Zwischenspeicher erstellt oder " -"verändert werden soll. Die Option <replaceable>BENUTZER</replaceable> muss " -"bereitgestellt werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "setzt die UID des Benutzers auf <replaceable>UID</replaceable>." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "setzt die GID des Benutzers auf <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#: sssd-secrets.5.xml:359 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -"setzt das Home-Verzeichnis des Benutzers auf <replaceable>HOME_VERZ</" -"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" -"setzt die Anmelde-Shell des Benutzers auf <replaceable>SHELL</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#: sssd-secrets.5.xml:372 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -"interaktiver Modus zur Eingabe von Benutzerinformationen. Diese Option wird " -"nur nach Informationen fragen, die nicht von den Optionen bereitgestellt " -"oder in der Domain geholt werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 -msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" -"<option>-p</option>,<option>--password-file</option> " -"<replaceable>PASSWORTDATEI</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#: sssd-secrets.5.xml:385 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -"gibt die Datei an, aus der das Passwort des Benutzers gelesen wird (ist es " -"nicht angegeben, wird nach dem Passwort gefragt)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -"Die Länge des Passworts (oder die Größe der mit der Option -p oder --" -"password-file angegebenen Datei) muss kleiner oder gleich PASS_MAX Byte sein " -"(64 Byte auf Systemen ohne global definiertem Wert für PASS_MAX)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" -msgstr "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" -msgstr "SSSD InfoPipe-Responder" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 -msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -"Diese Handbuchseite beschreibt die Konfiguration des InfoPipe-Responders für " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Eine detaillierte Syntaxreferenz finden Sie im Abschnitt " -"<quote>DATEIFORMAT</quote> in der Handbuchseite zu <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-secrets.5.xml:424 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -"Der InfoPipe-Responder stellt eine öffentliche D-Bus-Schnittstelle bereit, " -"auf die über den Systembus zugegriffen werden kann. Die Schnittstelle " -"ermöglicht die Abfrage von Informationen zu entfernten Benutzern und Gruppen " -"über den Systembus." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" -"Diese Optionen können zur Konfiguration des InfoPipe-Responders verwendet " -"werden." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -"Gibt eine durch Kommata getrennte Liste der Benutzer-ID-Werte oder " -"Benutzernamen an, denen der Zugriff auf den InfoPipe-Responder erlaubt ist. " -"Benutzernamen werden beim Start in Benutzer-IDs aufgelöst." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -"Voreinstellung: 0 (nur der Benutzer »root« darf auf den InfoPipe-Responder " -"zugreifen)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 -msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" -"Beachten Sie, dass trotz der Verwendung der Benutzer-ID 0 als Voreinstellung " -"diese durch die Option überschrieben wird. Falls Sie wollen, dass dem Root-" -"Benutzer der Zugriff auf den InfoPipe-Responder gewährt werden soll, was der " -"typische Fall ist, müssen Sie 0 ebenfalls zur Liste der erlaubten Benutzer-" -"IDs hinzufügen." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -"Gibt eine durch Kommata getrennte Liste der auf die weiße (erlaubt) " -"beziehungsweise schwarze Liste (blockiert) gesetzten Attribute an." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" -msgstr "name" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" -msgstr "Anmeldename des Benutzers" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" -msgstr "uidNumber" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" -msgstr "Benutzer-ID" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" -msgstr "gidNumber" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" -msgstr "primäre Gruppen-ID" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" -msgstr "gecos" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" -msgstr "Benutzerinformation, typischerweise der vollständige Name" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" -msgstr "homeDirectory" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" -msgstr "loginShell" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "Benutzershell" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" -msgstr "" -"In der Voreinstellung erlaubt der InfoPipe-Responder nur die Abfrage des " -"Standardsatzes an POSIX-Attributen. Dieser Satz ist der gleiche, wie er von " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> zurückgegeben wird und enthält Folgendes: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 +#: sssd-secrets.5.xml:473 #, no-wrap msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" " " msgstr "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-secrets.5.xml:466 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -"Es ist möglich, ein weiteres Attribut zu diesem Satz hinzuzufügen, indem Sie " -"<quote>+attr_name</quote> verwenden. Explizit entfernen lässt sich ein " -"Attribut mit <quote>-attr_name</quote>. Um beispielsweise " -"<quote>telephoneNumber</quote> zu erlauben, aber <quote>loginShell</quote> " -"abzuweisen, können Sie folgende Konfiguration verwenden: <placeholder type=" -"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" -"Voreinstellung: Nicht gesetzt. Nur der Standardsatz an POSIX-Attributen ist " -"erlaubt." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-secrets.5.xml:484 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#: sssd-secrets.5.xml:565 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#: sssd-secrets.5.xml:576 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" "\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" "\n" -"[Translation]\n" -"Method = sss\n" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 -msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "SIEHE AUCH" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "sss_ssh_authorizedkeys" - -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" -msgstr "1" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" -msgstr "holt autorisierte OpenSSH-Schlüssel" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>Optionen</replaceable> </arg> <arg " -"choice='plain'><replaceable>BENUTZER</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#: sssd-secrets.5.xml:602 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -"<command>sss_ssh_authorizedkeys</command> beschafft öffentliche SSH-" -"Schlüssel für den Anwender <replaceable>BENUTZER</replaceable> und gibt sie " -"im OpenSSH-Format »authorized_keys« aus (weitere Informationen finden Sie im " -"Abschnitt »AUTHORIZED_KEYS-DATEIFORMAT« von " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry>)." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#: sssd-secrets.5.xml:606 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -"sucht nach öffentlichen Schlüsseln von Benutzern in der SSSD-Domain " -"<replaceable>DOMAIN</replaceable>." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" -msgstr "EXIT-STATUS" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#: sssd-kcm.8.xml:31 msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -"Im Erfolgsfall ist der Rückgabewert 0, andernfalls wird 1 zurückgegeben." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "sss_ssh_knownhostsproxy" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "holt OpenSSH-Rechnerschlüssel" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>Optionen</replaceable> </arg> <arg " -"choice='plain'><replaceable>RECHNER</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_BEFEHL</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -"Falls ein <replaceable>PROXY_BEFEHL</replaceable> angegeben wurde, wird er " -"zum Erstellen der Verbindung mit dem Rechner benutzt, anstatt ein Socket zu " -"öffnen." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 +#: sssd-kcm.8.xml:67 msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> kann durch Verwendung der folgenden Richtlinien für die " -"Konfiguration von <citerefentry><refentrytitle>ssh</refentrytitle> " -"<manvolnum>1</manvolnum></citerefentry> so eingerichtet werden, dass es " -"<command>sss_ssh_knownhostsproxy</command> zur Authentifizierung des " -"Rechnerschlüssels benutzt: <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -"benutzt Port <replaceable>PORT</replaceable> zur Verbindung mit dem Rechner. " -"Standardmäßig wird Port 22 verwendet." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:76 msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"sucht in der SSSD-Domain nach <replaceable>DOMAIN</replaceable> öffentlichen " -"Schlüsseln für den Rechner." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#: sssd-kcm.8.xml:122 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"systemctl restart sssd-kcm.service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#: sssd-kcm.8.xml:131 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#: sssd-kcm.8.xml:164 msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of the AD provider for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " +#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page." msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des AD-Anbieters für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "min_id,max_id (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "min_id,max_id (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Voreinstellung: 6" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_page_size (Ganzzahl)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Voreinstellung: 6" + #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-kcm.8.xml:247 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 #, no-wrap msgid "" -"passwd: sss files\n" -"group: sss files\n" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 #, no-wrap msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 +msgid "" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, fuzzy, no-wrap +#| msgid "" +#| "user_attributes = +telephoneNumber, -loginShell\n" +#| " " msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +"attr:string\n" +"value:string\n" +" " msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 -msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 -msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 -msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 #, no-wrap msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 -msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:412 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" -msgstr "" +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 -msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +#, fuzzy +#| msgid "SSSD LDAP provider" +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "SSSD LDAP-Anbieter" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration von LDAP-Domains für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Detaillierte Syntax-Informationen finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "die Objektklasse eines Benutzereintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Voreinstellung: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "das LDAP-Attribut, das zum Anmeldenamen des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "das LDAP-Attribut, das zu der ID des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "Voreinstellung: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "das LDAP-Attribut, das zu der Hauptgruppen-ID des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "Voreinstellung: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "das LDAP-Attribut, das zum Gecos-Feld des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "Voreinstellung: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" +"das LDAP-Attribut, das den Namen des Home-Verzeichnisses des Benutzers " +"enthält" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" +"das LDAP-Attribut, das den Pfad zur Standard-Shell des Benutzers enthält" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Voreinstellung: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"das LDAP-Attribut, das die objectSID eines LDAP-Benutzerobjekts enthält. " +"Dies wird normalerweise nur für Active-Directory-Server benötigt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" +"das LDAP-Attribut, das den Zeitstempel der letzten Änderung im " +"übergeordneten Objekt enthält" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Voreinstellung: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Datum der letzten Passwortänderung) gehört." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Voreinstellung: shadowLastChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Mindestpasswortalter) gehört." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Voreinstellung: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (maximales Passwortalter) gehört." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Voreinstellung: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Passwortwarnperiode) gehört." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Voreinstellung: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Passwortinaktivitätsperiode) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Voreinstellung: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Ablaufdatum des Kontos) gehört." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Voreinstellung: shadowExpire" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" +"Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, in dem Datum und Zeit der letzten " +"Passwortänderung in Kerberos gespeichert sind." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Voreinstellung: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" +"Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, welches das Datum und die Zeit enthält, wann " +"das aktuelle Passwort erlischt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Voreinstellung: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" +"Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, in dem die Zeit gespeichert ist, wann das " +"Konto erlischt." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "Voreinstellung: accountExpires" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" +"Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, in dem das Steuer-Bit-Feld des " +"Benutzerkontos gespeichert ist." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "Voreinstellung: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" +"Wenn »ldap_account_expire_policy=rhds« oder Entsprechendes benutzt wird, " +"legt dieser Parameter fest, ob Zugriff gewährt wird oder nicht." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" +msgstr "Voreinstellung: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" +"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut " +"fest, ob Zugriff gewährt wird oder nicht." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "Voreinstellung: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" +"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieser Parameter " +"fest, bis zu welchem Datum Zugriff gewährt wird." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" +"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut die " +"Stunden eines Wochentages fest, in denen Zugriff gewährt wird." -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "Voreinstellung: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" +"das LDAP-Attribut, das den Kerberos User Principal Name (UPN/" +"Hauptbenutzername) enthält." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Voreinstellung: krbPrincipalName" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" +"Durch Kommata getrennte Liste der LDAP-Attribute, die SSSD zusammen mit den " +"üblichen Benutzerattributen holen soll." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" +"Die Liste kann entweder nur Namen von LDAP-Attributen enthalten, oder durch " +"Doppelpunkte getrennte Tupel aus Attributnamen des SSSD-Zwischenspeichers " +"und Namen von LDAP-Attributen. Wenn nur die Namen von LDAP-Attributen " +"angegeben werden, wird das Attribut unverändert im Zwischenspeicher " +"gespeichert. Die Verwendung eines benutzerdefinierten SSSD-Attributnamens " +"kann in Umgebungen notwendig sein, in denen mehrere SSSD-Domains mit " +"unterschiedlichen LDAP-Schemata eingerichtet sind." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" +"Bitte beachten Sie, dass diverse Attributnamen durch SSSD reserviert sind, " +"beispielsweise das Attribut <quote>name</quote>. SSSD würde einen Fehler " +"melden, falls eines der reservierten Attribute als zusätzlicher Attributname " +"verwendet wird." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" +"Speichert das Attribut <quote>telephoneNumber</quote> von LDAP als " +"<quote>telephoneNumber</quote> im Zwischenspeicher." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" +"Speichert das Attribut <quote>telephoneNumber</quote> von LDAP als " +"<quote>phone</quote> im Zwischenspeicher." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" +"das LDAP-Attribut, das die öffentlichen SSH-Schlüssel des Benutzers enthält" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" +"das LDAP-Attribut, das die Gruppenmitgliedschaften des Benutzers aufführt" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "Voreinstellung: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" +"Falls »access_provider=ldap« und »ldap_access_order=authorized_service« " +"benutzt werden, wird SSSD die Anwesenheit das Attributs »authorizedService« " +"im LDAP-Eintrag den Benutzers nutzen, um die Zugriffsrechte zu bestimmen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" +"Ein explizites Verweigern (»!svc«) wird zuerst aufgelöst. Als Zweites sucht " +"SSSD eine explizite Erlaubnis (»svc«) und zuletzt nach »allow_all« (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" +"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« " +"»authorized_service« enthalten <emphasis>muss</emphasis>, damit die Option " +"»ldap_user_authorized_service« funktioniert." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "Voreinstellung: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" +"Falls »access_provider=ldap« und »ldap_access_order=host« benutzt werden, " +"wird SSSD die Anwesenheit das Attributs »host« im LDAP-Eintrag den Benutzers " +"verwenden, um die Zugriffsrechte zu bestimmen." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" +"Ein explizites Verweigern (»!host«) wird zuerst aufgelöst. Als Zweites sucht " +"SSSD eine explizite Erlaubnis (»host«) und zuletzt nach »allow_all« (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" +"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« »host« " +"enthalten <emphasis>muss</emphasis>, damit die Option " +"»ldap_user_authorized_host« funktioniert." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "Voreinstellung: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "die Objektklasse eines Gruppeneintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Voreinstellung: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "das LDAP-Attribut, das dem Gruppennamen entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "das LDAP-Attribut, das der Gruppen-ID entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "das LDAP-Attribut, das die Namen der Gruppenmitglieder enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Voreinstellung: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"das LDAP-Attribut, das die ObjectSID eines LDAP-Gruppenobjekts enthält. Dies " +"wird normalerweise nur für Active-Directory-Server benötigt." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 #, fuzzy -#| msgid "" -#| "This manual page describes the configuration of the AD provider for " -#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " -#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " -#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> manual page." +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -"Diese Handbuchseite beschreibt die Konfiguration des AD-Anbieters für " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " -"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Das LDAP-Attribut, das einen Ganzzahlwert enthält, der den Gruppentyp und " +"eventuell weitere Flags enthält." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" +"Dieses Attribut wird derzeit nur vom AD-Anbieter verwendet, um zu ermitteln, " +"ob eine Gruppe eine lokale Domain-Gruppe ist und aus den vertrauenswürdigen " +"Domains herausgefiltert werden sollte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (Ganzzahl)" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id,max_id (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "die Objektklasse eines Netzgruppeneintrags in LDAP" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Voreinstellung: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" +"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_object_class« benutzt " +"werden." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (Ganzzahl)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "Voreinstellung: nisNetgroup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 -msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Voreinstellung: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "das LDAP-Attribut, das dem Netzgruppennamen entspricht" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" +"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_name« benutzt werden." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (Zeichenkette)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "das LDAP-Attribut, das die Namen der Netzgruppenmitglieder enthält" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" +"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_member« benutzt werden." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "Voreinstellung: memberNisNetgroup" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" +"das LDAP-Attribut, das die Netzgruppen-Triples (Rechner, Benutzer, Domain) " +"enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "Diese Option ist für IPA-Anbieter nicht verfügbar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Voreinstellung: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (Zeichenkette)" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "Voreinstellung: ipService" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap -msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap -msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "DIENSTABSCHNITTE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." +msgstr "die Objektklasse eines Diensteintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" +"das LDAP-Attribut, das die Namen von Dienstattributen und ihre Alias enthält" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "das LDAP-Attribut, das den von diesem Dienst verwalteten Port enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "Voreinstellung: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" +"das LDAP-Attribut, das die von diesem Dienst verstandenen Protokolle enthält" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "Voreinstellung: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "die Objektklasse eines Sudo-Regeleintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "Voreinstellung: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "das LDAP-Attribut, das dem Namen der Sudo-Regel entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "das LDAP-Attribut, das dem Namen des Befehls entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "Voreinstellung: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" +"das LDAP-Attribut, das dem Rechnernamen (oder der IP-Adresse, dem IP-" +"Netzwerk oder des Netzwerkgruppe des Rechners) entspricht" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "Voreinstellung: sudoHost" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" +"das LDAP-Attribut, das dem Benutzernamen (oder der UID, dem Gruppennamen " +"oder der Netzwerkgruppe des Benutzers) entspricht" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "Voreinstellung: sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "das LDAP-Attribut, das den Sudo-Optionen entspricht" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "Voreinstellung: sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" +"das LDAP-Attribut, das dem Benutzernamen entspricht, unter dem Befehle " +"ausgeführt werden können" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "Voreinstellung: sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" +"das LDAP-Attribut, das dem Gruppennamen oder der GID der Gruppe entspricht, " +"worunter Befehle ausgeführt werden können" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "Voreinstellung: sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" +"das LDAP-Attribut, das dem Startdatum und der Startzeit entpricht, wann die " +"Sudo-Regel gültig wird." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "Voreinstellung: sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" +"das LDAP-Attribut, das dem Ablaufdatum und der Ablaufzeit entspricht, nach " +"der die Sudo-Regel nicht länger gültig ist." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "Voreinstellung: sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "das LDAP-Attribut, das dem Reihenfolgenindex der Regel entspricht" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "Voreinstellung: sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "AUTOFS-OPTIONEN" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." +msgstr "die Objektklasse eines Automount-Abbildungseintrags in LDAP" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." +msgstr "der Name eines Automount-Abbildungseintrags in LDAP" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (Zeichenkette)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" +"der Schlüssel eines Automount-Eintrags in LDAP. Normalerweise entspricht der " +"Eintrag einem Einhängepunkt." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (Zeichenkette)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> @@ -18661,3 +19040,17 @@ msgstr "" #~ msgid "Default: homeDirectory" #~ msgstr "Voreinstellung: homeDirectory" + +#~ msgid "ldap_group_type (integer)" +#~ msgstr "ldap_group_type (Ganzzahl)" + +#~ msgid "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#~ msgstr "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" diff --git a/src/man/po/es.po b/src/man/po/es.po index b86b1190792..f32f5fbaec4 100644 --- a/src/man/po/es.po +++ b/src/man/po/es.po @@ -17,8 +17,8 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" -"PO-Revision-Date: 2019-09-09 02:44+0000\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" +"PO-Revision-Date: 2019-11-16 03:52+0000\n" "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n" "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/" "es/)\n" @@ -40,7 +40,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Páginas de manual de SSSD" @@ -86,7 +86,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "DESCRIPCION" @@ -156,7 +156,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -165,7 +165,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Formatos de archivo y convenciones" @@ -362,12 +362,12 @@ msgstr "" "habilitado para el registro de la depuración SSSD esta opción se ignora." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Predeterminado: true" @@ -387,19 +387,23 @@ msgstr "" "se ignora." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Predeterminado: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -425,8 +429,8 @@ msgstr "" "Advierta que después de tres pulsaciones perdidas el servicio se terminará." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Predeterminado: 10" @@ -441,7 +445,7 @@ msgid "The [sssd] section" msgstr "La sección [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Parámetros de sección" @@ -502,12 +506,12 @@ msgstr "" "usen para ejecución: \"systemctl enable sssd-@service@.socket\". </phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -516,7 +520,7 @@ msgstr "" "de datos del proveedor, o de reiniciarse antes de abandonar" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Predeterminado: 3" @@ -542,7 +546,7 @@ msgstr "" "bajos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (cadena)" @@ -567,12 +571,12 @@ msgstr "" "las SECCIONES DOMINIO para mas información sobre estas expresiones regulares." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -584,33 +588,33 @@ msgstr "" "dominio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "nombre de usuario" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" "nombre de dominio como se especifica en el fichero de configuración SSSD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." @@ -620,7 +624,7 @@ msgstr "" "medio de IPA de confianza." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -639,16 +643,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (booleano)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD monitorea el estado de resolv.conf para saber cuando es necesario " "actualizar su resolutor DNS interno. Por defecto, intentaremos utilizar para " @@ -656,7 +679,7 @@ msgstr "" "segundos en caso que inotify no pueda ser utilizado." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -667,7 +690,7 @@ msgstr "" "'false' " #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -676,7 +699,7 @@ msgstr "" "en el resto de las plataformas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -686,12 +709,12 @@ msgstr "" "utilizada siempre." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -700,7 +723,7 @@ msgstr "" "reproducción de cache de Kerberos." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -710,7 +733,7 @@ msgstr "" "de respuesta." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -719,12 +742,12 @@ msgstr "" "tiempo. (si no se configura __LIBKRB5_DEFAULTS__)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "usuario (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -746,17 +769,17 @@ msgstr "" "usuario que ejecuta el contestador NSS. </phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "Por defecto: no ajustado, los procesos correrán como root" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -772,7 +795,7 @@ msgstr "" "usuario sin dar también un nombre de dominio." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 #, fuzzy #| msgid "" #| "Please note that if this option is set all users from the primary domain " @@ -797,23 +820,23 @@ msgstr "" "con use_fully_qualified_names fijado a False." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Predeterminado: no definido" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "override_space (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -829,7 +852,7 @@ msgstr "" "predeterminado en el shell." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -842,22 +865,22 @@ msgstr "" "no modificado pero en general el resultado de la búsqueda es indefinido." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "Por defecto: no ajustado (los espacios no serán reemplazados)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "certificate_verification (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "no_ocsp" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -868,57 +891,78 @@ msgstr "" "certificado no son alcanzables por el cliente." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +#, fuzzy +#| msgid "no_ocsp" +msgid "soft_ocsp" +msgstr "no_ocsp" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Predeterminado: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "no_verification" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." @@ -927,12 +971,12 @@ msgstr "" "para pruebas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "ocsp_default_responder=URL" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -943,7 +987,7 @@ msgstr "" "OCSP por defecto e.g. http://example.com:80/ocsp." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." @@ -952,12 +996,12 @@ msgstr "" "ocsp_default_responder_signing_cert." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "ocsp_default_responder_signing_cert=NAME" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -968,12 +1012,12 @@ msgstr "" "disponible en la base de datos NSS del sistema." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "Esta opción debe ser usada junto con ocsp_default_responder." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." @@ -983,12 +1027,12 @@ msgstr "" "pam_cert_db_path." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "crl_file=/PATH/TO/CRL/FILE" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -1001,7 +1045,7 @@ msgstr "" "una base de datos NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -1013,8 +1057,22 @@ msgstr "" "formato PEM, vea detalles en <citerefentry> <refentrytitle>crl</" "refentrytitle> <manvolnum>1ssl</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -1025,33 +1083,33 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "Esta página de manual fue generada para la versión NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "Esta página de manual fue generada para la versión OPENSSL." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "Se informa de las opciones desconocidas pero son ignoradas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" "Por defecto: no fijado, i.e. no restringe la verificación de certificado" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "disable_netlink (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." @@ -1060,7 +1118,7 @@ msgstr "" "rutas, direcciones, enlaces y disparar ciertas acciones." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" @@ -1070,17 +1128,17 @@ msgstr "" "'true'" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "Predeterminado: false (se detectan los cambio de enlace de red)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "enable_files_domain (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." @@ -1090,12 +1148,12 @@ msgstr "" "configurado." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "domain_resolution_order" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -1112,7 +1170,7 @@ msgstr "" "serán buscados en un orden aleatorio por cada dominio padre." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -1143,7 +1201,7 @@ msgstr "" "casos donde los nombres de usuarios se deben compartir entre dominios." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "Por defecto: No definido" @@ -1166,12 +1224,12 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "SECCIONES DE SERVICIOS" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1184,22 +1242,22 @@ msgstr "" "<quote>[nss]</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Opciones de configuración de servicios generales" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Estas opciones pueden usarse para configurar cualquier servicio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1214,17 +1272,17 @@ msgstr "" "valor más bajo de este o de limite “hard” en limits.conf." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "Por defecto: 8192 (o limite “hard” en limits.conf)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1239,18 +1297,18 @@ msgstr "" "configura un valor más bajo será ajustado a 10 segundos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Predeterminado: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1262,12 +1320,12 @@ msgstr "" "siguiente:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "offline_timeout + random_offset" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" @@ -1277,12 +1335,12 @@ msgstr "" "la siguiente forma:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "new_interval = old_interval*2 + random_offset" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1293,12 +1351,12 @@ msgstr "" "forzará a una hora." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "responder_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1317,18 +1375,18 @@ msgstr "" "los servicios activados son socket o D-Bus." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Predeterminado: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "cache_first" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." @@ -1337,12 +1395,12 @@ msgstr "" "de consultar a los Proveedores de Datos." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "Opciones de configuración de NSS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1350,12 +1408,12 @@ msgstr "" "Switch (NSS)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1364,17 +1422,17 @@ msgstr "" "sobre todos los usuarios)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Predeterminado: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1385,7 +1443,7 @@ msgstr "" "valor de entry_cache_timeout para el dominio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1401,7 +1459,7 @@ msgstr "" "actualización del cache." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1414,17 +1472,17 @@ msgstr "" "segundos. (0 deshabilita esta función)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Predeterminado: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1435,17 +1493,17 @@ msgstr "" "entradas no existentes) antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Predeterminado: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "local_negative_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1456,17 +1514,17 @@ msgstr "" "otra vez. Fijando la opción a 0 deshabilita esta característica." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "Por defecto: 14400 (4 horas)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1480,7 +1538,7 @@ msgstr "" "usuario (UPN)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1493,17 +1551,17 @@ msgstr "" "filtrado mantendrá los usuarios miembros del listado posterior." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Predeterminado: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1511,12 +1569,12 @@ msgstr "" "opción a false." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1525,7 +1583,7 @@ msgstr "" "especificado una explícitamente por el proveedor de datos del dominio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1533,7 +1591,7 @@ msgstr "" "override_homedir." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1543,24 +1601,24 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" "Por defecto: no fijado (sin sustitución para los directorios home no fijados)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1571,17 +1629,17 @@ msgstr "" "la sección [nss] o por dominio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "Por defecto: no fijado (SSSD usará el valor recuperado desde LDAP)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" @@ -1589,12 +1647,12 @@ msgstr "" "evaluación es:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "1. Si el shell está presente en <quote>/etc/shells</quote>, se usa." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." @@ -1603,7 +1661,7 @@ msgstr "" "shells</quote>, usa el valor del parámetro shell_fallback." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." @@ -1612,12 +1670,12 @@ msgstr "" "shells</quote>, se usará un shell de no acceso." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "Se puede usar el comodín (*) para permitir cualquier shell." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1628,12 +1686,12 @@ msgstr "" "los shells permitidos en allowed_shells estuviera llena." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "Una cadena vacía para el shell se pasa como-es a libc." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." @@ -1643,27 +1701,27 @@ msgstr "" "una nueva shell." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "Por defecto: No fijado. La shell del usuario se usa automáticamente." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "Reemplaza cualquier instancia de estos shells con shell_fallback" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" @@ -1671,17 +1729,17 @@ msgstr "" "máquina." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Predeterminado: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." @@ -1691,7 +1749,7 @@ msgstr "" "o por dominio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" @@ -1701,12 +1759,12 @@ msgstr "" "normalmente /bin/sh)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." @@ -1715,12 +1773,12 @@ msgstr "" "considerada válida." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." @@ -1729,7 +1787,7 @@ msgstr "" "cache serán validos. Fijando esta opción o cero deshabilita la memoria cache." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." @@ -1739,7 +1797,7 @@ msgstr "" "pruebas." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." @@ -1748,12 +1806,12 @@ msgstr "" "las aplicaciones clientes no usaran la memoria cache rápida." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "user_attributes (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1771,7 +1829,7 @@ msgstr "" "predeterminados." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." @@ -1780,17 +1838,17 @@ msgstr "" "opción InfoPipe si no está fijada para el contestador NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "Por defecto: no ajustada, retroceder a opción InfoPipe" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "pwfield (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." @@ -1799,12 +1857,12 @@ msgstr "" "para el campo <quote>password</quote>." #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "Esta opción puede ser también fijada por dominio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" @@ -1813,12 +1871,12 @@ msgstr "" "ficheros de dominio)" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "Opciones de configuración PAM" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1827,12 +1885,12 @@ msgstr "" "Authentication Module (PAM)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1841,17 +1899,17 @@ msgstr "" "los accesos escondidos (en días desde el último login en línea con éxito)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Predeterminado: 0 (Sin límite)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1860,12 +1918,12 @@ msgstr "" "login fallados están permitidos." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1875,7 +1933,7 @@ msgstr "" "intento de login sea posible." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1886,17 +1944,17 @@ msgstr "" "éxito puede habilitar otra vez la autenticación fuera de línea." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Predeterminado: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1905,44 +1963,44 @@ msgstr "" "autenticación. Cuanto mayor sea el número de mensajes más aparecen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "Actualmente sssd soporta los siguientes valores:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis>: no mostrar ningún mensaje" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis>: mostrar sólo mensajes importantes" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis>: mostrar mensajes informativos" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" "<emphasis>3</emphasis>: mostrar todos los mensajes e información de " "depuración" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Predeterminado: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "pam_response_filter (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1955,7 +2013,7 @@ msgstr "" "variables de entorno que deberían ser fijadas por pam_sss." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." @@ -1964,37 +2022,37 @@ msgstr "" "pam_verbosity esta opción permite filtrar otra clase de respuestas también." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "ENV" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "No envía ninguna variable de entorno a ningún servicio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "ENV:var_name" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "No envía la variable de entorno var_name a ningún servicio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "ENV:var_name:service" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "No envía la variable de entorno var_name al servicio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -2003,17 +2061,17 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "Ejemplo: ENV:KRB5CCNAME:sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -2025,7 +2083,7 @@ msgstr "" "información más actual." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -2039,17 +2097,17 @@ msgstr "" "proveedor de identidad." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "Mostrar una advertencia N días antes que la contraseña caduque." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2060,7 +2118,7 @@ msgstr "" "información desaparece, sssd no podrá mostrar un aviso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." @@ -2070,7 +2128,7 @@ msgstr "" "automáticamente." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." @@ -2079,17 +2137,17 @@ msgstr "" "<emphasis>pwd_expiration_warning</emphasis> para un dominio concreto." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Predeterminado: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "pam_trusted_users (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -2104,12 +2162,12 @@ msgstr "" "nombres de usuarios se resuelven a UIDs en el arranque." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "Por defecto: Todos los usuarios se consideran de confianza por defecto" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." @@ -2118,12 +2176,12 @@ msgstr "" "aunque no está en la la lista pam_trusted_users." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "pam_public_domains (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." @@ -2132,13 +2190,13 @@ msgstr "" "accesibles hasta para los usuarios en los que no se confíe." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" "Hay definidos dos valores especiales para la opción pam_public_domains:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" @@ -2146,7 +2204,7 @@ msgstr "" "dominios en el contestador PAM.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" @@ -2155,19 +2213,19 @@ msgstr "" "dominios PAM en el contestador.)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Predeterminado: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "pam_account_expired_message (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." @@ -2176,7 +2234,7 @@ msgstr "" "mensaje predeterminado 'Permiso denegado'." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." @@ -2186,7 +2244,7 @@ msgstr "" "mensajes e información de depuración)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -2196,12 +2254,12 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "pam_account_locked_message (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." @@ -2210,7 +2268,7 @@ msgstr "" "por defecto 'Permiso denegado'." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -2220,12 +2278,12 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "pam_cert_auth (booleano)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -2236,19 +2294,19 @@ msgstr "" "de autenticación esta opción está deshabilitada por defecto." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "Por defecto: False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "pam_cert_db_path (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." @@ -2257,17 +2315,17 @@ msgstr "" "para acceder a la Smartcard." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "Predeterminado:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "/etc/pki/nssdb (versión NSS, ruta a la base de datos NSS)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" @@ -2276,22 +2334,22 @@ msgstr "" "certificados CA de confianza en formato PEM)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "p11_child_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "Cuantos segundos esperará pam_sss wait para que p11_child finalice." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "pam_app_services (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" @@ -2300,12 +2358,12 @@ msgstr "" "tipo <quote>application</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "pam_p11_allowed_services (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." @@ -2314,7 +2372,7 @@ msgstr "" "permitidos usar Smartcards." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2324,7 +2382,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2344,65 +2402,65 @@ msgstr "" "\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" "Predeterminado: el conjunto predeterminado de nombres de servicio PAM " "incluye:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "login" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "su" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "su-l" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "gdm-smartcard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "gdm-password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "kdm" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "sudo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "gnome-screensaver" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "p11_wait_for_card_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2413,12 +2471,12 @@ msgstr "" "inserte la Smartcard." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "p11_uri (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2436,7 +2494,7 @@ msgstr "" "específico." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2446,7 +2504,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2456,7 +2514,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2469,12 +2527,12 @@ msgstr "" "GnuTLS 'p11tool' con e.g. '--list-all' mostrará PKCS#11 URIs también." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "SUDO opciones de configuración" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2492,12 +2550,12 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (booleano)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." @@ -2506,12 +2564,12 @@ msgstr "" "entradas de sudoers dependientes del tiempo." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "sudo_threshold (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2527,22 +2585,22 @@ msgstr "" "comando." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "Opciones de configuración AUTOFS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "Estas opciones pueden ser usadas para configurar el servicio autofs." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2553,22 +2611,22 @@ msgstr "" "existentes) antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "Opciones de configuración SSH" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "Estas opciones se pueden usar para configurar el servicio SSH." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (booleano)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." @@ -2577,12 +2635,12 @@ msgstr "" "known_host. " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." @@ -2591,17 +2649,17 @@ msgstr "" "después de que se hayan pedido sus claves de host." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "Por defecto: 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "ssh_use_certificate_keys (booleano)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2615,12 +2673,43 @@ msgstr "" "manvolnum> </citerefentry> for details." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "ldap_user_certificate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set (spaces will not be replaced)" +msgid "Default: not set, all found rules are used" +msgstr "Por defecto: no ajustado (los espacios no serán reemplazados)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "ca_db (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." @@ -2630,12 +2719,12 @@ msgstr "" "públicas ssh de ellos." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "Opciones de configuración del respondedor PAC" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2653,7 +2742,7 @@ msgstr "" "se hacen algunas de las siguientes operaciones:" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2669,7 +2758,7 @@ msgstr "" "predeterminado, pero se puede sustituir con el parámetro default_shell." #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." @@ -2678,17 +2767,17 @@ msgstr "" "a esos grupos." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "Estas opciones pueden ser usadas para configurar el respondedor PAC." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2698,14 +2787,14 @@ msgstr "" "usuario que tiene el acceso permitido al respondedor PAC." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" "Por defecto: 0 (sólo el usuario root tiene permitido el acceso al " "respondedor PAC)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2718,12 +2807,12 @@ msgstr "" "lista de UIDs permitidas también." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "pac_lifetime (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." @@ -2733,12 +2822,12 @@ msgstr "" "usuario." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "Opciones de configuración de la grabación de sesión" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2754,32 +2843,32 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "Se pueden usar estas opciones para configurar la grabación de sesión." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "scope (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "\"none\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "NO se grabaron usuarios." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "\"some\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." @@ -2788,17 +2877,17 @@ msgstr "" "replaceable> y<replaceable>groups</replaceable> son grabados." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "\"all\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "Se graban todos los usuarios." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -2807,17 +2896,17 @@ msgstr "" "grabación: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "Predeterminado: \"none\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "users (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2829,17 +2918,17 @@ msgstr "" "mayúsculas/minúsculas, etc." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "Predeterminado: Vacío. No hay usuarios coincidentes." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "groups (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2851,7 +2940,7 @@ msgstr "" "minúsculas, etc." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2863,22 +2952,22 @@ msgstr "" "pertenece el usuario." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "Predeterminado: Vacío. No empareja grupos." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "SECCIONES DE DOMINIO" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "domain_type (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2891,7 +2980,7 @@ msgstr "" "disponibles para las interfaces y utilidades de sistema operativo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." @@ -2900,7 +2989,7 @@ msgstr "" "<quote>application</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2913,7 +3002,7 @@ msgstr "" "manvolnum> </citerefentry>) y el contestador PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." @@ -2922,7 +3011,7 @@ msgstr "" "<quote>id_provider=ldap</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." @@ -2931,17 +3020,17 @@ msgstr "" "<quote>Dominios aplicación</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "Predeterminado: posix" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id, max_id (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2950,7 +3039,7 @@ msgstr "" "está fuera de estos límites, ésta es ignorada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2963,7 +3052,7 @@ msgstr "" "reportados como en espera." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." @@ -2972,17 +3061,17 @@ msgstr "" "devolviéndolas por nombre o ID." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Predeterminado: 1 para min_id, 0 (sin límite) para max_id" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerar (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2995,22 +3084,22 @@ msgstr "" "Este parámetros puede tener uno de los siguientes valores:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = Usuarios y grupos son enumerados" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = Sin enumeraciones para este dominio" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Predeterminado: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." @@ -3019,7 +3108,7 @@ msgstr "" "entradas de usuario y grupo del servidor remoto." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -3043,7 +3132,7 @@ msgstr "" "guardián interno." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -3053,7 +3142,7 @@ msgstr "" "completen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -3067,7 +3156,7 @@ msgstr "" "específico id_provider en uso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." @@ -3076,32 +3165,32 @@ msgstr "" "especialmente en entornos grandes." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "subdomain_enumerate (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "all" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "Se enumerarán todos los dominios de confianza descubiertos" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "none" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "No serán enumerados dominios de confianza descubiertos" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -3114,12 +3203,12 @@ msgstr "" "enumeración solo para estos dominios de confianza." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -3128,7 +3217,7 @@ msgstr "" "volver a consultar al backend" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -3146,17 +3235,17 @@ msgstr "" "están en la caché." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Predeterminado: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" @@ -3165,19 +3254,19 @@ msgstr "" "antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "Por defecto: entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" @@ -3186,12 +3275,12 @@ msgstr "" "antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" @@ -3200,12 +3289,12 @@ msgstr "" "válidas antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" @@ -3214,12 +3303,12 @@ msgstr "" "antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" @@ -3228,12 +3317,12 @@ msgstr "" "preguntar al backend otra vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" @@ -3242,12 +3331,12 @@ msgstr "" "automontaje válidos antes de preguntar al punto final otra vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "entry_cache_ssh_host_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." @@ -3256,12 +3345,12 @@ msgstr "" "cuanto guardar en caché la clave de host." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." @@ -3271,7 +3360,7 @@ msgstr "" "expirados o a punto de hacerlo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -3280,46 +3369,46 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "Usted puede considerar ajustar este valor a 3/4 * entry_cache_timeout." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "Predeterminado: 0 (deshabilitado)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" "Determina si las credenciales del usuario están también escondidas en el " "cache LDB local" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" "Las credenciales de usuario son almacenadas en un hash SHA512, no en texto " "plano" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "cache_credentials_minimal_first_factor_length (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -3331,7 +3420,7 @@ msgstr "" "SHA512 en el caché." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." @@ -3341,17 +3430,17 @@ msgstr "" "bruta." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "Predeterminado: 8" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -3364,17 +3453,17 @@ msgstr "" "grande o igual que offline_credentials_expiration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Predeterminado: 0 (ilimitado)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -3387,17 +3476,17 @@ msgstr "" "configurar un proveedor de autorización para el backend." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "Por defecto: 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" @@ -3405,12 +3494,12 @@ msgstr "" "soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "<quote>proxy</quote>: Soporta un proveedor NSS heredado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" @@ -3418,7 +3507,7 @@ msgstr "" "(OBSOLETO)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3430,7 +3519,7 @@ msgstr "" "grupos locales en SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3441,8 +3530,8 @@ msgstr "" "información sobre la configuración de LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3455,8 +3544,8 @@ msgstr "" "configuración de FreeIPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3468,12 +3557,12 @@ msgstr "" "Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." @@ -3483,7 +3572,7 @@ msgstr "" "NSS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3497,7 +3586,7 @@ msgstr "" "command> lo haría." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3509,22 +3598,22 @@ msgstr "" "cualificado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "Predeterminado: FALSE (TRUE si se usa default_domain_suffix)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "No devuelve miembros de grupo para búsquedas de grupo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3543,7 +3632,7 @@ msgstr "" "devolver el grupo pedido como si estuviera vacío." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3554,12 +3643,12 @@ msgstr "" "especialmente para grupos que contienen muchos miembros." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3568,7 +3657,7 @@ msgstr "" "autenticación soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3579,7 +3668,7 @@ msgstr "" "citerefentry> para más información sobre la configuración LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3590,7 +3679,7 @@ msgstr "" "citerefentry> para más información sobre la configuración de Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" @@ -3598,17 +3687,17 @@ msgstr "" "objetivo PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "<quote>local</quote>: Proveedor interno SSSD para usuarios locales" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "<quote>none</quote> deshabilita la autenticación explícitamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3617,12 +3706,12 @@ msgstr "" "manejar las peticiones de autenticación." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3633,7 +3722,7 @@ msgstr "" "proveedores especiales internos son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." @@ -3642,12 +3731,12 @@ msgstr "" "sólo permitido para un dominio local." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "<quote>deny</quote> siempre niega el acceso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3660,7 +3749,7 @@ msgstr "" "configuración del módulo de acceso sencillo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3672,23 +3761,23 @@ msgstr "" "Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" "<quote>proxy</quote> para transmitir control de acceso a otro módulo PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Predeterminado: <quote>permit</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3697,7 +3786,7 @@ msgstr "" "el dominio. Los proveedores de cambio de passweord soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3709,7 +3798,7 @@ msgstr "" "configuración de LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3720,7 +3809,7 @@ msgstr "" "citerefentry> para más información sobre configurar Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" @@ -3728,13 +3817,13 @@ msgstr "" "otros objetivos PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" "<quote>none</quote> deniega explícitamente los cambios en la contraseña." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3743,18 +3832,18 @@ msgstr "" "puede manejar las peticiones de cambio de password." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" "El proveedor SUDO usado por el dominio. Los proveedores SUDO soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3765,7 +3854,7 @@ msgstr "" "citerefentry> para más información sobre la configuración LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." @@ -3774,7 +3863,7 @@ msgstr "" "predeterminados IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." @@ -3783,19 +3872,19 @@ msgstr "" "predeterminados AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "<quote>none</quote>deshabilita SUDO explícitamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" "Por defecto: el valor de <quote>id_provider</quote> se usa si está fijado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3812,7 +3901,7 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3826,12 +3915,12 @@ msgstr "" "desea usar sudo cn SSSD mas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3842,7 +3931,7 @@ msgstr "" "finalice. Los proveedores selinux soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3854,14 +3943,14 @@ msgstr "" "IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" "<quote>none</quote> deshabilita ir a buscar los ajustes selinux " "explícitamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." @@ -3870,12 +3959,12 @@ msgstr "" "manejar las peticiones de carga selinux." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" @@ -3885,7 +3974,7 @@ msgstr "" "soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3897,7 +3986,7 @@ msgstr "" "configuración de IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3910,18 +3999,18 @@ msgstr "" "configuración del proveedor AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" "<quote>none</quote> deshabilita el buscador de subdominios explícitamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "session_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3933,14 +4022,14 @@ msgstr "" "de sesiones soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" "<quote>ipa</quote> para permitir llevar a cabo tareas relacionadas con la " "sesión de usuario." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" @@ -3948,7 +4037,7 @@ msgstr "" "de usuario." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." @@ -3957,7 +4046,7 @@ msgstr "" "llevar a cabo tareas relacionadas con la sesión de usuario." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." @@ -3967,12 +4056,12 @@ msgstr "" "sin privilegios." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" @@ -3980,7 +4069,7 @@ msgstr "" "son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3992,7 +4081,7 @@ msgstr "" "LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -4004,7 +4093,7 @@ msgstr "" "IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -4016,17 +4105,17 @@ msgstr "" "proveedor AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "<quote>none</quote> deshabilita autofs explícitamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" @@ -4035,7 +4124,7 @@ msgstr "" "proveedores de hostid soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -4047,12 +4136,12 @@ msgstr "" "configuración de IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "<quote>none</quote> deshabilita hostid explícitamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -4067,7 +4156,7 @@ msgstr "" "dominios Active Directory, el nombre plano (NetBIOS) del dominio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -4080,22 +4169,22 @@ msgstr "" "nombres de usuario:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "nombre de usuario" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "username@domain.name" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "dominio/nombre_de_usuario" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." @@ -4105,7 +4194,7 @@ msgstr "" "dominios Windows." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -4116,7 +4205,7 @@ msgstr "" "el nombre, el dominio es el resto detrás de este signo\"" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -4131,17 +4220,17 @@ msgstr "" "<quote>((?P<name>.+)@(?P<domain>[^@]+$))</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Predeterminado: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -4150,42 +4239,42 @@ msgstr "" "a usar cuando se lleven a cabo búsquedas DNS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Valores soportados:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "ipv4_first: Intenta buscar dirección IPv4, si falla, intenta IPv6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "ipv4_only: Sólo intenta resolver nombres de host a direccones IPv4." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "ipv6_first: Intenta buscar dirección IPv6, si falla, intenta IPv4" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "ipv6_only: Sólo intenta resolver nombres de host a direccones IPv6." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Predeterminado: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -4198,7 +4287,7 @@ msgstr "" "trabajando en modo offline." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." @@ -4207,18 +4296,18 @@ msgstr "" "información sobre la resolución del servicio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Predeterminado: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -4227,55 +4316,55 @@ msgstr "" "de dominio de la pregunta al descubridor de servicio DNS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" "Predeterminado: Utilizar la parte del dominio del nombre de host del equipo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "Anula el valor primario GID con el especificado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "case_sensitive (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "True" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" "Distingue mayúsculas y minúsculas. Este valor es invalido para el proveedor " "AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "False" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "No sensible a mayúsculas minúsculas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "Preserving" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -4287,7 +4376,7 @@ msgstr "" "protocolo) están en minúsculas en la salida." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -4300,17 +4389,17 @@ msgstr "" "posibles son: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "Predeterminado: True (False para proveedor AD)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "subdomain_inherit (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -4322,27 +4411,27 @@ msgstr "" "siguientes opciones:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "ignore_group_members" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "ldap_purge_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "ldap_user_principal" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" @@ -4351,7 +4440,7 @@ msgstr "" "explícitamente ldap_krb5_keytab)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -4361,32 +4450,32 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "Aviso: Esta opción solo trabaja con el proveedor IPA y AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "flat (NetBIOS) nombre de un subdominio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -4402,7 +4491,7 @@ msgstr "" "id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" @@ -4410,17 +4499,17 @@ msgstr "" "emphasis>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "Por defecto: <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" @@ -4428,12 +4517,12 @@ msgstr "" "este dominio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "cached_auth_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -4446,7 +4535,7 @@ msgstr "" "incorrectas, SSSD cae de nuevo a la autenticación en linea." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." @@ -4456,12 +4545,12 @@ msgstr "" "confianza." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "El valor especial 0 implica que esta función está deshabilitada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -4472,17 +4561,17 @@ msgstr "" "gestionar <quote>initgroups.</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "auto_private_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "true" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." @@ -4491,7 +4580,7 @@ msgstr "" "usuario. El número GID se ignora en este caso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -4504,12 +4593,12 @@ msgstr "" "unicidad den el espacio de ID." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "false" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." @@ -4518,12 +4607,12 @@ msgstr "" "a un objeto grupo en las base de datos LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "hybrid" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 #, fuzzy #| msgid "" #| "A primary group is autogenerated for user entries whose UID and GID " @@ -4545,7 +4634,7 @@ msgstr "" "grupo, el GID primario del usaurio resuelve a este objeto grupo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." @@ -4554,7 +4643,7 @@ msgstr "" "una entrada de grupo, de otro modo el GID simplemente no se puede resolver." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -4565,7 +4654,7 @@ msgstr "" "también desea retener los grupos privados existentes del usuario." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -4574,7 +4663,7 @@ msgstr "" "type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." @@ -4583,7 +4672,7 @@ msgstr "" "POSIX IDs asignados y True para subdominios que usan mapeo de ID automático." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -4593,7 +4682,7 @@ msgstr "" "auto_private_groups = false\n" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -4605,7 +4694,7 @@ msgstr "" "auto_private_groups = false\n" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -4619,7 +4708,7 @@ msgstr "" "\"programlisting\" id=\"1\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -4631,17 +4720,17 @@ msgstr "" "id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "El proxy de destino PAM próximo a." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -4650,12 +4739,12 @@ msgstr "" "pam existente o crear una nueva y añadir el nombre de servicio aquí." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -4666,12 +4755,12 @@ msgstr "" "$(function), por ejemplo _nss_files_getpwent." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4685,12 +4774,12 @@ msgstr "" "razones de rendimiento." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "proxy_max_children (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4702,7 +4791,7 @@ msgstr "" "son encoladas." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4711,12 +4800,12 @@ msgstr "" "\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "Dominios de aplicaciones" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4745,7 +4834,7 @@ msgstr "" "que opcionalmente herede ajustes de un dominio SSSD tradicional." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4757,17 +4846,17 @@ msgstr "" "establecido correctamente." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "Parámetros de dominio de aplicación" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "inherit_from (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4780,7 +4869,7 @@ msgstr "" "<quote>hermano</quote>." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4795,7 +4884,7 @@ msgstr "" "cache y hace al atributo phone alcanzable a través del interfaz D-Bus." #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4829,12 +4918,12 @@ msgstr "" "ldap_user_extra_attrs = phone:telephoneNumber\n" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "La sección de dominio local" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4845,29 +4934,29 @@ msgstr "" "utiliza <replaceable>id_provider=local</replaceable>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" "El shell predeterminado para los usuarios creados con herramientas de " "espacio de usuario SSSD." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Predeterminado: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4877,17 +4966,17 @@ msgstr "" "de inicio." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Predeterminado: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." @@ -4896,17 +4985,17 @@ msgstr "" "Puede ser anulado desde la línea de comando." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Predeterminado: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." @@ -4915,12 +5004,12 @@ msgstr "" "borrados. Puede ser anulado desde la línea de comando." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (entero)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4931,17 +5020,17 @@ msgstr "" "predeterminados en un directorio de inicio recién creado." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Predeterminado: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4954,17 +5043,17 @@ msgstr "" "<manvolnum>8</manvolnum></citerefentry>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Predeterminado: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4975,17 +5064,17 @@ msgstr "" "Si no se especifica, se utiliza un valor por defecto." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Predeterminado: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (cadena)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4996,17 +5085,17 @@ msgstr "" "único parámetro. El código de retorno del comando no es tenido en cuenta." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Predeterminado: None, no se ejecuta comando" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "SECCIÓN DE DOMINIO DE CONFIANZA" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -5023,57 +5112,57 @@ msgstr "" "soportadas en la sección de dominio de confianza son:" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "ldap_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "ldap_user_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "ldap_group_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "ldap_netgroup_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "ldap_service_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "ldap_sasl_mech," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "ad_server," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "ad_backup_server," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "ad_site," #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "use_fully_qualified_names" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." @@ -5082,12 +5171,12 @@ msgstr "" "página de manual." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "SECCIÓN DE MAPEO DEL CERTIFICADO" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -5109,7 +5198,7 @@ msgstr "" "usan autenticación PAM." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -5121,7 +5210,7 @@ msgstr "" "citerefentry>)." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -5135,12 +5224,12 @@ msgstr "" "opciones:" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "matchrule (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." @@ -5149,7 +5238,7 @@ msgstr "" "procesados, los demás son ignorados." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" @@ -5158,17 +5247,17 @@ msgstr "" "tengan Extended Key Usage <quote>clientAuth</quote>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "maprule (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "Define como se encuentra un usuario desde un certificado dado." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." @@ -5177,7 +5266,7 @@ msgstr "" "como <quote>ldap</quote>, <quote>AD</quote> o <quote>ipa</quote>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." @@ -5186,12 +5275,12 @@ msgstr "" "encontrar un usuario con el mismo nombre." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "domains (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -5204,17 +5293,17 @@ msgstr "" "usada para añadir la regla a los subdominios también." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "Predetermiado: el dominio configurado en sssd.conf" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "priority (entero)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -5225,12 +5314,12 @@ msgstr "" "más alte mientras que <quote>4294967295</quote> es la más baja." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "Predeterminado: la prioridad más baja" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" @@ -5240,7 +5329,7 @@ msgstr "" "propiedades especiales:" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" @@ -5249,7 +5338,7 @@ msgstr "" "usuario coincidente" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -5262,17 +5351,17 @@ msgstr "" "short_name})</quote>" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "la opción <quote>domains</quote> es ignorada" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "SECCIÓN DE CONFIGURACIÓN INICIAL" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -5287,7 +5376,7 @@ msgstr "" "al usuario las credenciales apropiadas." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 #, fuzzy #| msgid "" #| "With the growing number of authentication methods and the possibility " @@ -5306,22 +5395,22 @@ msgstr "" "suministrarían una mejor flexibilidad aquí." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "[prompting/password]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "password_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "cambiar la cadena de solicitud de contraseña" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -5330,37 +5419,37 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "[prompting/2fa]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "first_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "para cambiar la cadena de la solicitud del primer factor" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "second_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "para cambiar la cadena de la solicitud para el segundo factor" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "single_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 #, fuzzy #| msgid "" #| "boolean value, if True there will be only a single prompt using the value " @@ -5376,7 +5465,7 @@ msgstr "" "cadena" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -5385,7 +5474,7 @@ msgstr "" "permitidas son: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 #, fuzzy #| msgid "" #| "Each supported authentication method has it's own configuration sub-" @@ -5403,7 +5492,7 @@ msgstr "" "\"variablelist\" id=\"1\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 #, fuzzy #| msgid "" #| "It is possible to add a sub-section for specific PAM services like e.g. " @@ -5419,12 +5508,12 @@ msgstr "" "consulta para este servicio." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "EJEMPLOS" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -5478,7 +5567,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -5491,7 +5580,7 @@ msgstr "" "\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -5501,7 +5590,7 @@ msgstr "" "use_fully_qualified_names = false\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -5518,7 +5607,7 @@ msgstr "" "\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -5540,7 +5629,7 @@ msgstr "" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -5616,12 +5705,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "OPCIONES DE CONFIGURACIÓN" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -5637,35 +5726,35 @@ msgstr "" "vea la sección <quote>DESCUBRIDOR DE SERVICIOS</quote>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" "El formato de la URI debe coincidir con el formato definido en RFC 2732:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<host>[:port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" "Para direcciones IPv6 explícitas, <host> debe estar entre corchetes []" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "ejemplo: ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -5678,31 +5767,31 @@ msgstr "" "sobre failover y redundancia de servidor." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "Para habilitar el servicio descubrimiento ldap_chpass_dns_service_name debe " "ser establecido." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Por defecto: vacio, esto es ldap_uri se está usando." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" "El DN base por defecto que se usará para realizar operaciones LDAP de " "usuario." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" @@ -5711,17 +5800,17 @@ msgstr "" "sintaxis:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "El alcance puede ser uno de “base”, “onlevel” o “subtree”." #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" @@ -5729,14 +5818,14 @@ msgstr "" "El filtro debe ser un filtro de búsqueda LDAP válido como se especifica en " "http://www.ietf.org/rfc/rfc2254.txt" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Ejemplos:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -5745,7 +5834,7 @@ msgstr "" "= dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -5754,7 +5843,7 @@ msgstr "" "(host=thishost)?dc=example.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -5767,7 +5856,7 @@ msgstr "" "impredecibles sobre máquinas cliente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -5784,12 +5873,12 @@ msgstr "" "soportan múltiples valores." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -5801,32 +5890,32 @@ msgstr "" "atributos son manejados puede también diferir." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "Cuatro tipos de esquema son actualmente soportados:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -5844,38 +5933,38 @@ msgstr "" "2008r2." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Predeterminado: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "ldap_pwmodify_mode (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" "Especifica la operación que se usa para modificar la contraseña de usuario." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "Actualmente se soportan dos modos:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "exop - Operación Extendida de Modificación de Contraseña (RFC 3062)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "ldap_modify - Modificación directa de userPassword (no recomendado)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5888,58 +5977,58 @@ msgstr "" "el usuario debe haber escrito el atributo de acceos a userPassword." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "Predeterminado: exop" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" "El enlazador DN por defecto a usar para llevar a cabo operaciones LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "El tipo de ficha de autenticación del enlazador DN por defecto." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "Los dos mecanismos actualmente soportados son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "contraseña" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Por defecto: contraseña" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5948,11743 +6037,12397 @@ msgstr "" "actualmente password de texto claro." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "La clase de objeto de una entrada de usuario en LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Predeterminado: posixAccount" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (cadena)" +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" -"El atributo LDAP que corresponde al nombre de inicio de sesión del usuario." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "Predeterminado: uid (rfc2307, rfc2307bis e IPA), sAMAccountName (AD)" +"Algunos servidores de directorio, por ejemplo Active Directory, pueden " +"entregar la parte real del UPN en minúsculas, lo que puede causar fallos de " +"autenticación. Fije esta opción en un valor distinto de cero si usted desea " +"usar mayúsculas reales." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." -msgstr "El atributo LDAP que corresponde al id de usuario." +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "Predeterminado: uidNumber" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Especifica cuantos segundos SSSD tiene que esperar antes de refrescar su " +"escondrijo de los registros enumerados." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (cadena)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." -msgstr "El atributo LDAP que corresponde al id del grupo primario del usuario." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Determina la frecuencia de comprobación del cache para entradas inactivas " +"(como grupos sin miembros y usuarios que nunca han accedido) y borrarlos " +"para guardar espacio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "Predeterminado: gidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" +"Estableciendo esta opción a cero deshabilitará la operación de limpieza del " +"caché. Por favor advierta que si la enumeración está habilitada, se requiere " +"la tarea de limpieza con el objetivo de detectar entradas borradas desde el " +"servidor y no pueden ser deshabilitadas. Por defecto, la tarea de limpieza " +"correrá cada tres horas con la enumeración habilitada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" -msgstr "ldap_user_primary_group (cadena)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:352 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" -"Atributo de grupo primario Active Directory para el mapeo de ID. Advierta " -"que este atributo debería solo ser establecido manualmente si usted está " -"ejecutando el proveedor <quote>ldap</quote> con mapeo ID." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" -msgstr "Predeterminado: no establecido (LDAP), primaryGroupID (AD)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (cadena)" +"Si ldap_schema está fijado en un formato de esquema que soporte los grupos " +"anidados (por ejemplo, RFC2307bis), entonces esta opción controla cuantos " +"niveles de anidamiento seguirá SSSD. Este opción no tiene efecto en el " +"esquema RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "El atributo LDAP que corresponde al campo de gecos del usuario." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "Predeterminado: gecos" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" -"El atributo LDAP que contiene el nombre del directorio principal del usuario." +"Aviso: Esta opción especifica el nivel garantizado d grupos anidados a ser " +"procesados para cualquier búsqueda. Sin embargo, los grupos anidados detrás " +"de este límite <emphasis>pueden ser</emphasis> devueltos si las búsquedas " +"anteriores ya resueltas en os niveles más profundos de anidamiento. " +"También, las búsquedas subsiguientes para otros grupos pueden agrandar el " +"conjunto de resultados de la búsqueda origina si se requiere." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" +"Si ldap_group_nesting_level está establecido a 0 no se procesan de ninguna " +"manera grupos anidados. Sin embargo, cuando está conectado a Active-" +"Directory Server 2008 y posteriores usando <quote>id_provider=ad</quote> se " +"recomienda además deshabilitar la utilización de Token-Groups estableciendo " +"ldap_use_tokengroups a false con el objetivo de restringir el anidamiento de " +"grupos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (cadena)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Predeterminado: 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" -"El atributo LDAP que contiene la ruta de acceso a la shell predeterminada " -"del usuario." +"Esta opción habilita o deshabilita el uso del atributo Token-Groups cuando " +"lleva a cabo un initgroup para usuarios de Active Directory Server 2008 y " +"posteriores." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Predeterminado: loginShell" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." +msgstr "Predeterminado: True para AD e IPA en otro caso False." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "ldap_user_uuid (cadena)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "ldap_host_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." -msgstr "" -"El atributo LDAP que contiene el UUID/GUID de un objeto de usuario LDAP." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." +msgstr "Opcional. Usa la cadena dada como base de búsqueda para objetos host." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -"Predeterminado: no establecido en caso general, objectGUID para AD e " -"ipaUniqueID para IPA" +"Vea <quote>ldap_search_base</quote> para información sobre la configuración " +"de múltiples bases de búsqueda." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Predeterminado: el valor de <emphasis>ldap_search_base</emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (cadena)" +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:424 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" -"El atributo LDAP que contiene el objectSID de un objeto usuario LDAP. Esto " -"es normalmente sólo necesario para servidores ActiveDirectory." +"Especifica el tiempo de salida (en segundos) que la búsqueda ldap está " +"permitida para correr antes que de quea cancelada y los resultados " +"escondidos devueltos (y se entra en modo fuera de línea)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +#: sssd-ldap.5.xml:430 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" -"Predeterminado: objectSid para ActiveDirectory, no establecido para otros " -"servidores." +"Nota: esta opción será sujeto de cambios en las futuras versiones del SSSD. " +"Probablemente será sustituido en algunos puntos por una serie de tiempos de " +"espera para tipos específicos de búsqueda." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (cadena)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" -"El atributo LDAP que contiene la fecha y hora de la última modificación del " -"objeto primario." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Predeterminado: modifyTimestamp" +"Especifica el tiempo de espera (en segundos) en los que las búsquedas ldap " +"de enumeraciones de usuario y grupo están permitidas de correr antes de que " +"sean canceladas y devueltos los resultados escondidos (y se entra en modo " +"fuera de línea)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (cadena)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:461 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" -"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " -"de un atributo LDAP correspondiente a su <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> homologo (fecha del último cambio de password)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Predeterminado: shadowLastChange" +"Especifica el tiempo de salida (en segudos) después del cual <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> siguiendo un <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> vuelve en caso de no actividad." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (cadena)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" -"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " -"de un atributo LDAP correspondiente a su <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> homologo (edad mínima del password)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Predeterminado: shadowMin" +"Especifica un tiempo de espera (en segundos) después del cual las llamadas a " +"LDAP APIs asíncronos se abortarán si no se recibe respuesta. También " +"controla el tiempo de espera cuando se comunica con el KDC en caso de enlace " +"SASL, el tiempo de espera de una operación de enlace LDAP, la operación de " +"cambio extendido de contraseña y las operación StartTLS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (cadena)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " -"de un atributo LDAP correspondiente a su <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> homologo (edad máxima del password)." +"Especifica un tiempo de espera (en segundos) en el que se mantendrá una " +"conexión a un servidor LDAP. Después de este tiempo, la conexión será " +"restablecida. Si su usa en paralelo con SASL/GSSAPI, se usará el valor más " +"temprano (este valor contra el tiempo de vida TGT)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Predeterminado: shadowMax" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "Predeterminado: 900 (15 minutos)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (cadena)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " -"de un atributo LDAP correspondiente a su <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> homologo (período de aviso de password)." +"Especifica el número de registros a recuperar desde una única petición LDAP. " +"Algunos servidores LDAP hacen cumplir un límite máximo por petición." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Predeterminado: shadowWarning" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Predeterminado: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (cadena)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " -"de un atributo LDAP correspondiente a su <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> homologo (período de inactividad de password)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Predeterminado: shadowInactive" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (cadena)" +"Deshabilita el control de paginación LDAP. Esta opción se debería usar si el " +"servidor LDAP reporta que soporta el control de paginación LDAP en sus " +"RootDSE pero no está habilitado o no se comporta apropiadamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"Cuando se utiliza ldap_pwd_policy=shadow o " -"ldap_account_expire_policy=shadow, este parámetro contiene el nombre de un " -"atributo correspondiente con su <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> homólogo (fecha de " -"expiración de la cuenta)." +"Ejemplo: los servidores OpenLDAP con el módulo de control de paginación " +"instalado sobre el servidor pero no habilitado lo reportarán en el RootDSE " +"pero es incapaz de usarlo." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Predeterminado: shadowExpire" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Ejemplo: 389 DS tiene un bug donde puede sólo soportar un control de " +"paginación a la vez en una única conexión. Sobre clientes ocupados, esto " +"puede ocasionar que algunas peticiones sean denegadas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (cadena)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 -msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." -msgstr "" -"Cuando se utiliza ldap_pwd_policy=mit_kerberos, este parámetro contiene el " -"nombre de un atributo LDAP que almacena la fecha y la hora del último cambio " -"de password en kerberos." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." +msgstr "Deshabilitar la recuperación del rango de Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Predeterminado: krbLastPwdChange" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"Active Directory limita el número de miembros a recuperar en una única " +"búsqueda usando la política MaxValRange (que está predeterminada a 1500 " +"miembros). Si un grupo contiene mas miembros, la replica incluiría una " +"extensión de rango específica AD. Esta opción deshabilita el análisis de la " +"extensión del rango, por eso grupos grandes aparecerán como si no tuvieran " +"miembros." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (cadena)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"Cuando se utiliza ldap_pwd_policy=mit_kerberos, este parámetro contiene el " -"nombre de un atributo LDAP que almacena la fecha y la hora en la que expira " -"el password actual." +"Cuando se está comunicando con un servidor LDAP usando SASL, especifica el " +"nivel de seguridad mínimo necesario para establecer la conexión. Los valores " +"de esta opción son definidos por OpenLDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Predeterminado: krbPasswordExpiration" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Por defecto: Usa el sistema por defecto (normalmente especificado por ldap." +"conf)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (cadena)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"Cuando se utiliza ldap_account_expire_policy=ad, este parámetro contiene el " -"nombre de un atributo LDAP que almacena el tiempo de expiración de la cuenta." +"Especifica el número de miembros del grupo que deben estar desaparecidos " +"desde el escondrijo interno con el objetivo de disparar una búsqueda " +"deference. Si hay menos miembros desaparecidos, se buscarán individualmente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "Predeterminado: accountExpires" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (cadena)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" +"Puede desactivar las búsquedas de desreferencia completamente estableciendo " +"el valor a 0. Tenga en cuenta que hay algunas rutas de código en SSSD, como " +"el proveedor IPA HBAC, que solo son implementadas usando la llamada de " +"desreferencia, de modo que solo con la desreferencia explícitamente " +"deshabilitada aquellas partes usarán todavía la desreferencia si el servidor " +"lo soporta y auncia el control de la desreferencia en el objeto rootDSE." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" -"Cuando se usa ldap_account_expire_policy=ad, este parámetro contiene el " -"nombre de un atributo LDAP que almacena el campo bit de control de la cuenta " -"de usuario." +"Una búsqueda dereference es un medio de descargar todos los miembros del " +"grupo en una única llamada LDAP. Servidores diferentes LDAP pueden " +"implementar diferentes métodos dereference. Los servidores actualmente " +"soportados son 389/RHDS, OpenLDAP y Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "Predeterminado: userAccountControl" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Nota:</emphasis> Si alguna de las bases de búsqueda especifica un " +"filtro de búsqueda, la mejora del rendimiento de la búsqueda dereference " +"será deshabilitado sin tener en cuenta este ajuste." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (cadena)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" -"Cuando se usa ldap_account_expire_policy=rhds o esquivalente, este parámetro " -"determina si el acceso está permitido o no." +"Especifica que comprobaciones llevar a cabo sobre los certificados del " +"servidor en una sesión TLS, si las hay. Puede ser especificado como uno de " +"los siguientes valores:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "Predeterminado: nsAccountLock" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (cadena)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = El cliente no pedirá o comprobará ningún " +"certificado de servidor." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" -"Cuando se usa ldap_account_expire_policy=nds, este atributo determina si el " -"acceso está permitido o no." +"<emphasis>allow</emphasis> = Se pide el certificado del servidor. Si no se " +"suministra certificado, la sesión sigue normalmente. Si se suministra un " +"certificado malo, será ignorado y la sesión continua normalmente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "Predeterminado: loginDisabled" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:658 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" -"Cuando se usa ldap_account_expire_policy=nds, este atributo determina hasta " -"que fecha se concede el acceso." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (cadena)" +"<emphasis>try</emphasis> = Se pide el certificado del servidor. Si no se " +"suministra certificado, la sesión continua normalmente. Si se suministra un " +"certificado malo, la sesión se termina inmediatamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" -"Cuando se utiliza ldap_account_expire_policy=nds, este atributo determina la " -"hora de un día en la semana cuando se concede el acceso." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "Predeterminado: loginAllowedTimeMap" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (cadena)" +"<emphasis>demand</emphasis> = Se pide el certificado del servidor. Si no se " +"suministra certificado, o se suministra un certificado malo, la sesión se " +"termina inmediatamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 -msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" -"El atributo LDAP que contiene le Nombre Principal de Usuario Kerberos (UPN) " -"del usuario." +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Predeterminado: krbPrincipalName" +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Predeterminado: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "ldap_user_extra_attrs (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." -msgstr "" -"Lista separada por comas de atributos LDAP que SSSD debería ir a buscar con " -"el conjunto usual de atributos de usuario." +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:683 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" -"La lista puede contener bien nombres de atributo LDAP solamente o tuplas " -"separadas por comas de de nombre de atributo SSSD en caché y nombre de " -"atributo LDAP. En el caso de que solo sed especifique el nombre de atributo " -"LDAP, el atributo se salva al caché literal. El uso de un nombre de " -"atributo SSSD personal puede ser requerido por entornos que configuran " -"varios dominios SSSD con diferentes esquemas LDAP." +"Especifica el fichero que contiene los certificados de todas las Autoridades " +"de Certificación que <command>sssd</command> reconocerá." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" -"Por favor advierta que varios nombres de atributos están reservados por " -"SSSD, notablemente el atributo <quote>name</quote>. SSSD informaría de un " -"error si cualquiera de los nombres de atributo reservados es usado como un " -"nombre de atributo extra." +"Por defecto: use los valores por defecto OpenLDAP, normalmente en <filename>/" +"etc/openldap/ldap.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:698 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" -"Guarda el atributo <quote>telephoneNumber</quote> desde LDAP como " -"<quote>telephoneNumber</quote> al caché." +"Especifica la ruta de un directorio que contiene los certificados de las " +"Autoridades de Certificación en ficheros individuales separados. Normalmente " +"los nombres de fichero necesita ser el hash del certificado seguido por " +"‘.0’. si esta disponible <command>cacertdir_rehash</command> puede ser usado " +"para crear los nombres correctos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" -msgstr "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -"Guarda el atributo <quote>telephoneNumber</quote> desde LDAP como " -"<quote>phone</quote> al caché." +"Especifica el fichero que contiene el certificado para la clave del cliente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." -msgstr "El atributo LDAP que contiene las claves públicas SSH del usuario." +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" -msgstr "Predeterminado: sshPublicKey" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "Especifica el archivo que contiene la clave del cliente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:741 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -"Algunos servidores de directorio, por ejemplo Active Directory, pueden " -"entregar la parte real del UPN en minúsculas, lo que puede causar fallos de " -"autenticación. Fije esta opción en un valor distinto de cero si usted desea " -"usar mayúsculas reales." +"Especifica conjuntos de cifrado aceptable. Por lo general, es una lista " +"searada por dos puntos. Vea el formato en <citerefentry><refentrytitle>ldap." +"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (entero)" +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:757 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" -"Especifica cuantos segundos SSSD tiene que esperar antes de refrescar su " -"escondrijo de los registros enumerados." +"Especifica que la id_de proveedor de la conexión debe también utilizar " +"<systemitem class=\"protocol\">tls</systemitem> para proteger el canal." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (entero)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:770 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" -"Determina la frecuencia de comprobación del cache para entradas inactivas " -"(como grupos sin miembros y usuarios que nunca han accedido) y borrarlos " -"para guardar espacio." +"Especifica que SSSD intentaría mapear las IDs de usuario y grupo desde los " +"atributos ldap_user_objectsid y ldap_group_objectsid en lugar de apoyarse en " +"ldap_user_uid_number y ldap_group_gid_number." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" -"Estableciendo esta opción a cero deshabilitará la operación de limpieza del " -"caché. Por favor advierta que si la enumeración está habilitada, se requiere " -"la tarea de limpieza con el objetivo de detectar entradas borradas desde el " -"servidor y no pueden ser deshabilitadas. Por defecto, la tarea de limpieza " -"correrá cada tres horas con la enumeración habilitada." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "El atributo LDAP que corresponde al nombre completo del usuario." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Predeterminado: cn" +"Actualmente está función soporta sólo mapeos de objectSID de ActiveDirectory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (cadena)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "ldap_min_id, ldap_max_id (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." -msgstr "El atributo LDAP que lista los afiliación a grupo de usario." +#: sssd-ldap.5.xml:789 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"En contraste con el SID basado en mapeo de ID que se usa si ldap_id_mapping " +"está establecido a true el rango de ID permitido para ldap_user_uid_number y " +"ldap_group_gid_number está sin consolidar. En una configuración con " +"subdominios de confianza, esto podría producir colisiones de ID. Para evitar " +"las colisiones ldap_min_id y ldap_max_id pueden er establecidos para " +"restringir el rango permitido para las IDs que son leídas directamente desde " +"el servidor. Los subdominios pueden elegir otros rangos para asignar IDs." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "Predeterminado: memberOf" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" +msgstr "Predeterminado: no establecido (ambas opciones se establecen a 0)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (cadena)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:810 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" -"Si access_provider=ldap y ldap_access_order=authorized_service, SSSD " -"utilizará la presencia del atributo authorizedService en la entrada LDAP del " -"usuario para determinar el privilegio de acceso." +"Especifica el mecanismo SASL a usar. Actualmente solo están probados y " +"soportados GSSAPI y GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:814 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Una denegación explícita (¡svc) se resuelve primero. Segundo, SSSD busca " -"permiso explícito (svc) y finalmente permitir todo (*)." +"Si el backend admite subdominios el valor de ldap_sasl_mech es heredado " +"automáticamente por los subdominios. Si se necesita un valor diferente para " +"un subdominio puede ser sobrescrito estabeciendo ldap_sasl_mech para este " +"subdominio explícitamente. Por favor vea la SECCIÓN DOMINIO DE CONFIANZA es " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> para más detalles." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -"Por favor advierta que la opcion de configuración ldap_access_order " -"<emphasis>debe</emphasis> incluir <quote>authorized_service</quote> con el " -"objetivo de que la opción ldap_user_authorized_service trabaje." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:833 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" +"Especifica la identificación de autorización SASL a usar. Cuando son usados " +"GSSAPI/GSS-SPNEGO, esto representa el principal Kerberos usado para " +"autenticación al directorio. Esta opción puede contener el principal " +"completo (por ejemplo host/myhost@EXAMPLE.COM) o solo el nombre principal " +"(por ejemplo host/myhost). Por defecto, el valor no está establecido y se " +"usan los siguientes principales: <placeholder type=\"programlisting\" id=" +"\"0\"/> Si no se encuentra ninguno de ellos, se devuelve en primer principal " +"en la pestaña." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "Predeterminado: iluminada" +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" +msgstr "Por defecto: host/nombre_de_host@REALM" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (cadena)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:862 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" -"Si access_provider=ldap y ldap_access_order=host, SSSD utilizará la " -"presencia del atributo host en la entrada LDAP del usuario para determinar " -"el privilegio de acceso." +"Especifica el reino SASL a usar. Cuando no se especifica, esta opción se " +"pone por defecto al valor de krb5_realm. Si ldap_sasl_authid contiene el " +"reino también, esta opción se ignora." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." -msgstr "" -"Una denegación explícita (¡host) se resuelve primero. Segundo, la búsqueda " -"SSSD para permiso explícito (host) y finalmente permitir todo (*)." +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "Por defecto: el valor de krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:877 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" -"Por favor advierta que la opción de configuración ldap_access_order " -"<emphasis>debe</emphasis> incluir <quote>host</quote> con el objetivo de que " -"la opción ldap_user_authorized_host." +"Si se fija en true, la librería LDAP llevaría a cabo una búsqueda inversa " +"para para canocalizar el nombre de host durante una unión SASL." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "Default: host" +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Predeterminado: false;" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "ldap_user_authorized_rhost (cadena)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 -msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." -msgstr "" -"Si access_provider=ldap y ldap_access_order=rhost, SSSD usará la presencia " -"del atributo rhost en la entrada LDAP de usuario para determinar el " -"privilegio de acceso. Similarmente al proceso de verificación de host." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +msgstr "Especifica la pestaña a usar cuando se utiliza SASL/GSSAPI/GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 -msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" -"Una denegación explícita (!rhost) se resuelve primero. Segundo, SSSD busca " -"permisos explícitos (rhost) y finalmente allow_all (*)." +"Por defecto: Keytab del sistema, normalmente <filename>/etc/krb5.keytab</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:904 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -"Por favor advierta que la opción de configuración ldap_access_order " -"<emphasis>debe</emphasis> incluir <quote>rhost</quote> con el objetivo de " -"que la opción ldap_user_authorized_rhost trabaje." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" -msgstr "Predeterminado: rhost" +"Especifica que id_provider debería iniciar las credenciales Kerberos (TGT). " +"Esta acción solo se lleva a cabo si se usa SASL y el mecanismo seleccionado " +"es GSSAPI o GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" -msgstr "ldap_user_certificate (cadena)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." -msgstr "Nombre del atributo LDAP que contiene el certificado X509 del usuario." +#: sssd-ldap.5.xml:919 +msgid "" +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +msgstr "" +"Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI o GSS-" +"SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" -msgstr "Predeterminado: userCertificate;binary" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Predeterminado: 86400 (24 horas)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "ldap_user_email (cadena)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:932 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"Nombre del atributo LDAP que contiene el correo electrónico del usuario." +"Especifica una lista separada por comas de direcciones IP o nombres de host " +"de los servidores Kerberos a los cuales se conectaría SSSD en orden de " +"preferencia. Para más información sobre failover y redundancia de servidor, " +"vea la sección <quote>FAILOVER</quote>. Un número de puerto opcional " +"(precedido de dos puntos) puede ser añadido a las direcciones o nombres de " +"host. Si está vacío, el servicio descubridor está habilitado – para más " +"información, vea la sección <quote>SERVICE DISCOVERY</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" -"Aviso: Si una dirección de correo electrónico de un usuario entra en " -"conflicto con una dirección de correo electrónico o el nombre totalmente " -"cualificado de otro usuario, SSSD no será capaz de servir adecuadamente a " -"esos usuarios. Si por alguna de varias razones los usuarios necesitan " -"compartir la misma dirección de correo electrónico establezca esta opción a " -"un nombre de atributo no existente con elobjetivo de deshabilitar la " -"búsqueda/acceso por correo electrónico." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" -msgstr "Predeterminado: mail" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "La clase de objeto de una entrada de grupo LDAP." +"Cuando se utiliza el servicio descubiertos para servidores KDC o kpasswd, " +"SSSD primero busca entradas DNS que especifiquen _udop como protocolo y " +"regresa a _tcp si no se encuentra nada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Por defecto: posixGroup" +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Este opción se llamaba <quote>krb5_kdcip</quote> en las revisiones más " +"tempranas de SSSD. Mientras el legado de nombre se reconoce por el tiempo " +"que sea, los usuarios son advertidos para migrar sus ficheros de " +"configuración para usar <quote>krb5_server</quote> en su lugar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (cadena)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "El atributo LDAP que corresponde al nombre de grupo." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +msgstr "" +"Especifica el REALM Kerberos (para autorización SASL/GSSAPI/GSS-SPNEGO)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "Predeterminado: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Predeterminado: Predeterminados del sistema, vea <filename>/etc/krb5.conf</" +"filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (cadena)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "El atributo LDAP que corresponde al id del grupo." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"Especifica si el host principal sería estandarizado cuando se conecte a un " +"servidor LDAP. Esta función está disponible con MIT Kerberos >= 1.7" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (cadena)" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "El atributo LDAP que contiene los nombres de los miembros del grupo." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "Valor predeterminado: memberuid (rfc2307) / member (rfc2307bis)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" -msgstr "ldap_group_uuid (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." -msgstr "El atributo LDAP que contiene el UUID/GUID de un objeto grupo LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (cadena)" +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" +"Especifica si el SSSD debe instruir a las librerías Kerberos que ámbito y " +"que KDCs usar. Esta opción está por defecto, si la deshabilita, necesita " +"configurar las librerías Kerberos usando el fichero de configuración " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" -"El atributo LDAP que contiene el objectSID de un objeto grupo LDAP. Esto es " -"normalmente sólo necesario para servidores ActiveDirectory." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (cadena)" +"Vea la página de manual <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> para más información sobre el complemento " +"localizador." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" -msgstr "ldap_group_type (entero)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1017 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" -"El atributo LDAP que contiene un valor entero indicando el tipo del grupo y " -"puede ser otras banderas." +"Seleccione la política para evaluar la caducidad de la contraseña en el lado " +"del cliente. Los siguientes valores son permitidos:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1022 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" -"Este atributo es actualmente usado por el proveedor AD para determinar si un " -"grupo está en grupos de dominio local y ha de ser sacado de los dominios de " -"confianza." +"<emphasis>none</emphasis> - Sin evaluación en el lado cliente. Esta opción " +"no puede deshabilitar las políticas de password en el lado servidor." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" -"Predeterminado: groupType en el proveedor AD, de otro modo no establecido" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "ldap_group_external_member (cadena)" +"<emphasis>shadow</emphasis> - Usa los atributos de estilo " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> para evaluar si la contraseña ha expirado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1033 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" -"El atributo LDAP que referencia a los miembros de grupo que están definidos " -"en un dominio externo. En este momento, solo se soportan los miembros " -"externos de IPA." +"<emphasis>mit_kerberos</emphasis> - Usa los atributos utilizados por MIT " +"Kerberos para determinar si el password ha expirado. Use " +"chpass_provider=krb5 para actualizar estos atributos cuando se cambia el " +"password." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" -"Predeterminado: ipaExternalMember en el proveedor IPA, de otro modo no " -"estabecido." +"<emphasis>Aviso</emphasis>: si está configurada una política de contraseña " +"en el lado del servidor siempre tiene prioridad sobre la política " +"establecida por esta opción." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (entero)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 -msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" -"Si ldap_schema está fijado en un formato de esquema que soporte los grupos " -"anidados (por ejemplo, RFC2307bis), entonces esta opción controla cuantos " -"niveles de anidamiento seguirá SSSD. Este opción no tiene efecto en el " -"esquema RFC2307." +"Especifica si el seguimiento de referencias automático debería ser " +"habilitado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1057 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" -"Aviso: Esta opción especifica el nivel garantizado d grupos anidados a ser " -"procesados para cualquier búsqueda. Sin embargo, los grupos anidados detrás " -"de este límite <emphasis>pueden ser</emphasis> devueltos si las búsquedas " -"anteriores ya resueltas en os niveles más profundos de anidamiento. " -"También, las búsquedas subsiguientes para otros grupos pueden agrandar el " -"conjunto de resultados de la búsqueda origina si se requiere." +"Por favor advierta que sssd sólo soporta seguimiento de referencias cuando " +"está compilado con OpenLDAP versión 2.4.13 o más alta." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1062 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" -"Si ldap_group_nesting_level está establecido a 0 no se procesan de ninguna " -"manera grupos anidados. Sin embargo, cuando está conectado a Active-" -"Directory Server 2008 y posteriores usando <quote>id_provider=ad</quote> se " -"recomienda además deshabilitar la utilización de Token-Groups estableciendo " -"ldap_use_tokengroups a false con el objetivo de restringir el anidamiento de " -"grupos." +"Al perseguir referencia se puede incurrir en una penalización de rendimiento " +"en entornos que lo usen pesadamente, un ejemplo notable es Microsoft Active " +"Directory. Si su ajuste no requieren de hecho el uso de referencias, fijar " +"esta opción a false le llevará a una notable mejora de rendimiento." -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Predeterminado: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 -msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -"Esta opción habilita o deshabilita el uso del atributo Token-Groups cuando " -"lleva a cabo un initgroup para usuarios de Active Directory Server 2008 y " -"posteriores." +"Especifica el nombre del servicio para utilizar cuando está habilitado el " +"servicio de descubrimiento." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "Predeterminado: True para AD e IPA en otro caso False." +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Predeterminado: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "La clase de objeto de una entrada netgroup en LDAP." +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." -msgstr "En proveedor IPA, ipa_netgroup_object_class, se usaría en su lugar." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Especifica el nombre del servicio para utilizar al buscar un servidor LDAP " +"que permita cambios de contraseña cuando está habilitado el servicio de " +"descubrimiento." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "Predeterminado: nisNetgroup" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "El atributo LDAP que corresponde al nombre del netgroup." +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." -msgstr "Un proveedor IPA, ipa_netgroup_name sería usado en su lugar." +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"Especifica si actualizar el atributo ldap_user_shadow_last_change con días " +"desde el Epoch después de una operación de cambio de contraseña." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (cadena)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -"El atributo LDAP que contiene los nombres de los miembros de grupo de red." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." -msgstr "Un proveedor IPA, ipa_netgroup_member sería usado en su lugar." +"Si está usando access_provider = ldap y ldap_access_order = filter " +"(predeterminado), esta opción es obligatoria. Especifica un criterio de " +"filtro de búsqueda LDAP que debe cumplirse para que el usuario obtenga " +"acceso a este host. Si access_provider = ldap, ldap_access_order = filter y " +"esta opción no estñan establecidos resultará que todos los usuarios tendrán " +"el acceso denegado. Use access_provider = permit para cambiar este " +"comportamiento predeterminado. Por favor advierta que este filtro se aplica " +"sobre la entrada LDAP del usuario y, por lo tanto, el filtrado basado en " +"grupos anidados puede no funcionar (e.g. el atributo memberOf sobre entradas " +"AD apunta solo a los parientes directos). Si se requiere el filtrado basado " +"en grupos anidados, vea por favor <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "Predeterminado: memberNisNetgroup" +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Ejemplo:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1148 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" -"El atributo LDAP que contiene los (host, usuario, dominio) triples de grupo " -"de red." +"Este ejemplo significa que el acceso a este host está restringido a los " +"usuarios cuyo atributo employeeType esté establecido a \"admin\"." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." -msgstr "Esta opción no está disponible en el proveedor IPA." +#: sssd-ldap.5.xml:1153 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" +"El almacenamiento en caché sin conexión para esta función está limitado a " +"determinar si el último inicio de sesión del usuario recibió permiso de " +"acceso. Si obtuvieron permiso de acceso durante su último inicio de sesión, " +"se les seguirán otorgando acceso sin conexión y viceversa." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Predeterminado: nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (cadena)" +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "Predeterminado: vacío" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" -msgstr "ldap_host_object_class (cadena)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." -msgstr "El objeto clase de una entrada host en LDAP." +#: sssd-ldap.5.xml:1170 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Con esta opción pueden ser habilitados los atributos de evaluación de " +"control de acceso del lado cliente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "Por defecto: ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" -msgstr "ldap_host_name (cadena)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Por favor advierta que siempre se recomienda utilizar el control de acceso " +"del lado servidor, esto es el servidor LDAP denegaría petición de enlace con " +"una código de error definible aunque el password sea correcto." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." -msgstr "El atributo LDAP que corresponde al nombre de host." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" -msgstr "ldap_host_fqdn (cadena)" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "Los siguientes valores están permitidos:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1184 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" -"El atributo LDAP que corresponde al nombre de dominio totalmente cualificado " -"del host." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "Predeterminado: fqdn" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" -msgstr "ldap_host_serverhostname (cadena)" +"<emphasis>shadow</emphasis>: usa el valor de ldap_user_shadow_expire para " +"determinar si la cuenta ha expirado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" -msgstr "Predeterminado: serverHostname" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" -msgstr "ldap_host_member_of (cadena)" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis>: usa el valor del campo de 32 bit " +"ldap_user_ad_user_account_control y permite el acceso si el segundo bit no " +"está fijado. Si el atributo está desaparecido se concede el acceso. También " +"se comprueba el tiempo de expiración de la cuenta." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." -msgstr "Atributo LDAP que lista los miembros del grupo del host." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "ldap_host_search_base (cadena)" +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: usa el valor de ldap_ns_account_lock para comprobar si se permite " +"el acceso o no." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." -msgstr "Opcional. Usa la cadena dada como base de búsqueda para objetos host." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: los valores de " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled y " +"ldap_user_nds_login_expiration_time se usan para comprobar si el acceso está " +"permitido. Si ambos atributos están desaparecidos se concede el acceso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1211 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" -"Vea <quote>ldap_search_base</quote> para información sobre la configuración " -"de múltiples bases de búsqueda." - -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "Predeterminado: el valor de <emphasis>ldap_search_base</emphasis>" +"Por favor advierta que la opción de configuración ldap_access_order " +"<emphasis>debe</emphasis> incluir <quote>expire</quote> con el objetivo de " +"la opción ldap_account_expire_policy funcione." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" -msgstr "ldap_host_ssh_public_key (cadena)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." -msgstr "Atributo LDAP que contiene las claves públicas SSH del host." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" -msgstr "ldap_host_uuid (cadena)" +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Lista separada por coma de opciones de control de acceso. Los valores " +"permitidos son:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." -msgstr "Atributo LDAP que contiene las UUID/GUID de un objeto host LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (cadena)" +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filtro</emphasis>: utilizar ldap_access_filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." -msgstr "La clase objeto de una entrada de servicio en LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (cadena)" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" +"<emphasis>lockout</emphasis>: usar bloqueo de cuenta. Si se establece, esta " +"opción deniega el acceso en el caso de que el atributo ldap " +"'pwdAccountLockedTime' esté presente y tenga un valor de '000001010000Z'. " +"Por favor vea la opción ldap_pwdlockout_dn. Por favor advieta que " +"'access_provider = ldap' debe ser establecido para que está característica " +"funciones." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1244 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" -"El atributo LDAP que contiene el nombre de servicio de atributos y sus alias." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (cadena)" +"<emphasis> Por favor tenga en cuenta que esta opción es reemplazada por la " +"opción <quote>ppolicy</quote> y puede ser quitada en un futuro lanzamiento. " +"</emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." -msgstr "El atributo LDAP que contiene el puerto manejado por este servicio." +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" +"<emphasis>ppolicy</emphasis>: usar bloqueo de cuenta. Si se establece, esta " +"opción deniega el acceso en el caso de que el atributo ldap " +"'pwdAccountLockedTime' esté presente y tenga un valor de '000001010000Z' o " +"represente cualquier momento en el pasado. El valor del atributo " +"'pwdAccountLockedTime' debe terminar con 'Z', que denota la zona horaria " +"UTC. Otras zonas horarias no se soportan actualmente y llevarán a \"access-" +"denied\" cuando los usuarios intenten acceder. Por favor vea la opción " +"ldap_pwdlockout_dn. Por favor advierta que 'access_provider = ldap' debe " +"estar establecido para que esta característica funcione." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "Por defecto: ipServicePort" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (cadena)" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>caducar</emphasis>: utilizar ldap_account_expire_policy" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1272 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -"El atributo LDAP que contiene los protocolos entendidos por este servicio." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> Estas opciones son útiles si los " +"usuarios están interesados en que se les avise de que la contraseña está " +"próxima a expirar y la autenticación está basada en la utilización de un " +"método distinto a las contraseñas - por ejemplo claves SSH." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "Por defecto: ipServiceProtocol" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (entero)" +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" +"La diferencia entre estas opciones es la acción que se toma si la contraseña " +"de usuario ha expirado: pwd_expire_policy_reject - se deniega el acceso al " +"usuario, pwd_expire_policy_warn - el usuario es todavía capaz de acceder, " +"pwd_expire_policy_renew - al usuario se le pide que cambie la contraseña " +"inmediatamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1290 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" -"Especifica el tiempo de salida (en segundos) que la búsqueda ldap está " -"permitida para correr antes que de quea cancelada y los resultados " -"escondidos devueltos (y se entra en modo fuera de línea)" +"Nota: si la contraseña de usuario expiró, SSSD no solicita ningún mensaje " +"explícito." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1294 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" -"Nota: esta opción será sujeto de cambios en las futuras versiones del SSSD. " -"Probablemente será sustituido en algunos puntos por una serie de tiempos de " -"espera para tipos específicos de búsqueda." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (entero)" +"Por favor advierta que 'access_provider = ldap' debe estar establecido para " +"que esta función trabaje. También 'ldap_pwd_policy' debe estar establecido " +"para una política de contraseña apropiada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1299 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -"Especifica el tiempo de espera (en segundos) en los que las búsquedas ldap " -"de enumeraciones de usuario y grupo están permitidas de correr antes de que " -"sean canceladas y devueltos los resultados escondidos (y se entra en modo " -"fuera de línea)" +"<emphasis>authorized_service</emphasis>: utilizar el atributo " +"autorizedService para determinar el acceso" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (entero)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis>: usa el atributo host para determinar el acceso" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1308 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -"Especifica el tiempo de salida (en segudos) después del cual <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> siguiendo un <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> vuelve en caso de no actividad." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (entero)" +"<emphasis>rhost</emphasis>: usar el atributo rhost para determinar si el " +"host remoto puede acceder" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1312 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" -"Especifica un tiempo de espera (en segundos) después del cual las llamadas a " -"LDAP APIs asíncronos se abortarán si no se recibe respuesta. También " -"controla el tiempo de espera cuando se comunica con el KDC en caso de enlace " -"SASL, el tiempo de espera de una operación de enlace LDAP, la operación de " -"cambio extendido de contraseña y las operación StartTLS." +"Por favor advierta el campo rhost en pam es establecido por la aplicación, " +"es mejor comprobar que la aplicación lo envía a pam, antes de habilitar esta " +"opción de control de acceso" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (entero)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Predeterminado: filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1320 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" -"Especifica un tiempo de espera (en segundos) en el que se mantendrá una " -"conexión a un servidor LDAP. Después de este tiempo, la conexión será " -"restablecida. Si su usa en paralelo con SASL/GSSAPI, se usará el valor más " -"temprano (este valor contra el tiempo de vida TGT)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "Predeterminado: 900 (15 minutos)" +"Tenga en cuenta que es un error de configuración si un valor es usado más de " +"una vez." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (entero)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1330 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -"Especifica el número de registros a recuperar desde una única petición LDAP. " -"Algunos servidores LDAP hacen cumplir un límite máximo por petición." +"Esta opción especifica la DN de la contraseña de entrada a la política sobre " +"un servidor LDAP. Tenga en cuenta que la ausencia de esta opción en sssd." +"conf en caso de verificación de bloqueo de cuenta habilitada dará como " +"resultado el acceso denegado ya que los atributos ppolicy en el servidor " +"LDAP no pueden verificarse correctamente." -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Predeterminado: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Ejemplo: cn=ppolicy,ou=policies,dc=example,dc=com" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "Predeterminado: cn=ppolicy,ou=policies,$ldap_search_base" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (booleano)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1350 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -"Deshabilita el control de paginación LDAP. Esta opción se debería usar si el " -"servidor LDAP reporta que soporta el control de paginación LDAP en sus " -"RootDSE pero no está habilitado o no se comporta apropiadamente." +"Especifica cómo se hace la eliminación de referencias al alias cuando se " +"lleva a cabo una búsqueda. Están permitidas las siguientes opciones:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 -msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -"Ejemplo: los servidores OpenLDAP con el módulo de control de paginación " -"instalado sobre el servidor pero no habilitado lo reportarán en el RootDSE " -"pero es incapaz de usarlo." +"<emphasis>never</emphasis>: Nunca serán eliminadas las referencias al alias." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1359 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" -"Ejemplo: 389 DS tiene un bug donde puede sólo soportar un control de " -"paginación a la vez en una única conexión. Sobre clientes ocupados, esto " -"puede ocasionar que algunas peticiones sean denegadas." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (booleano)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "Deshabilitar la recuperación del rango de Active Directory." +"<emphasis>searching</emphasis>: Las referencias al alias son eliminadas en " +"subordinadas del objeto base, pero no en localización del objeto base de la " +"búsqueda." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#: sssd-ldap.5.xml:1364 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -"Active Directory limita el número de miembros a recuperar en una única " -"búsqueda usando la política MaxValRange (que está predeterminada a 1500 " -"miembros). Si un grupo contiene mas miembros, la replica incluiría una " -"extensión de rango específica AD. Esta opción deshabilita el análisis de la " -"extensión del rango, por eso grupos grandes aparecerán como si no tuvieran " -"miembros." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (entero)" +"<emphasis>finding</emphasis>: Sólo se eliminarán las referencias a alias " +"cuando se localice el objeto base de la búsqueda." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#: sssd-ldap.5.xml:1369 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" -"Cuando se está comunicando con un servidor LDAP usando SASL, especifica el " -"nivel de seguridad mínimo necesario para establecer la conexión. Los valores " -"de esta opción son definidos por OpenLDAP." +"<emphasis>always</emphasis>: Las referencias al alias se eliminarán tanto " +"para la búsqueda como en la localización del objeto base de la búsqueda." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" -"Por defecto: Usa el sistema por defecto (normalmente especificado por ldap." -"conf)" +"Por defecto: Vacío (esto es manejado como <emphasis>nunca</emphasis> por las " +"librerías cliente LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (entero)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#: sssd-ldap.5.xml:1385 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -"Especifica el número de miembros del grupo que deben estar desaparecidos " -"desde el escondrijo interno con el objetivo de disparar una búsqueda " -"deference. Si hay menos miembros desaparecidos, se buscarán individualmente." +"Permite retener los usuarios locales como miembros de un grupo LDAP para " +"servidores que usan el esquema RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 +#: sssd-ldap.5.xml:1389 msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -"Puede desactivar las búsquedas de desreferencia completamente estableciendo " -"el valor a 0. Tenga en cuenta que hay algunas rutas de código en SSSD, como " -"el proveedor IPA HBAC, que solo son implementadas usando la llamada de " -"desreferencia, de modo que solo con la desreferencia explícitamente " -"deshabilitada aquellas partes usarán todavía la desreferencia si el servidor " -"lo soporta y auncia el control de la desreferencia en el objeto rootDSE." +"En algunos entornos donde se usa el esquema RFC2307, los usuarios locales " +"son hechos miembros de los grupos LDAP añadiendo sus nombres al atributo " +"memberUid. La autoconsistencia del dominio se ve comprometida cuando se hace " +"esto, de modo que SSSD debería normalmente quitar los usuarios " +"“desparecidos” de las afiliaciones a grupos escondidas tan pronto como " +"nsswitch intenta ir a buscar información del usuario por medio de las " +"llamadas getpw*() o initgroups()." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#: sssd-ldap.5.xml:1400 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -"Una búsqueda dereference es un medio de descargar todos los miembros del " -"grupo en una única llamada LDAP. Servidores diferentes LDAP pueden " -"implementar diferentes métodos dereference. Los servidores actualmente " -"soportados son 389/RHDS, OpenLDAP y Active Directory." +"Esta opción cae de nuevo en comprobar si los usuarios locales están " +"referenciados, y los almacena en caché de manera que más tarde las llamadas " +"initgroups() aumentará los usuarios locales con los grupos LDAP adicionales." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "wildcard_limit (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#: sssd-ldap.5.xml:1415 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -"<emphasis>Nota:</emphasis> Si alguna de las bases de búsqueda especifica un " -"filtro de búsqueda, la mejora del rendimiento de la búsqueda dereference " -"será deshabilitado sin tener en cuenta este ajuste." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (cadena)" +"Especifica un límite superior sobre el número de entradas que son " +"descargadas durante una búsqueda de comodín." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -"Especifica que comprobaciones llevar a cabo sobre los certificados del " -"servidor en una sesión TLS, si las hay. Puede ser especificado como uno de " -"los siguientes valores:" +"En este momento solo el respondedor InfoPipe soporta búsqueda de comodín" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" +msgstr "Predeterminado: 1000 (frecuentemente el tamaño de una página)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<emphasis>never</emphasis> = El cliente no pedirá o comprobará ningún " -"certificado de servidor." +"Todas las opciones de configuración comunes que se aplican a los dominios " +"SSSD también se aplican a los dominios LDAP. Vea la sección <quote>DOMAIN " +"SECTIONS</quote> de la página de manual <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para detalles " +"completos. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "OPCIONES SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"<emphasis>allow</emphasis> = Se pide el certificado del servidor. Si no se " -"suministra certificado, la sesión sigue normalmente. Si se suministra un " -"certificado malo, será ignorado y la sesión continua normalmente." +"Las instrucciones detalladas para la configuración de sudo_provider están en " +"la página de manual <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 +#: sssd-ldap.5.xml:1449 msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" -"<emphasis>try</emphasis> = Se pide el certificado del servidor. Si no se " -"suministra certificado, la sesión continua normalmente. Si se suministra un " -"certificado malo, la sesión se termina inmediatamente." +"Cuantos segundos esperará SSSD entre ejecutar un refresco total de las " +"reglas sudo (que descarga todas las reglas que están almacenadas en el " +"servidor)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#: sssd-ldap.5.xml:1454 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" msgstr "" -"<emphasis>demand</emphasis> = Se pide el certificado del servidor. Si no se " -"suministra certificado, o se suministra un certificado malo, la sesión se " -"termina inmediatamente." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>" +"El valor debe ser mayor que <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Predeterminado: hard" +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "Por defecto: 21600 (6 horas)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (cadena)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (entero)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -"Especifica el fichero que contiene los certificados de todas las Autoridades " -"de Certificación que <command>sssd</command> reconocerá." +"Cuantos segundos tiene SSSD que esperar antes de ejecutar una actualización " +"inteligente de las reglas sudo (lo que descarga todas las reglas que tienen " +"un USN más alto que el valor más alto del servidor USN que conoce " +"actualmente SSSD)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#: sssd-ldap.5.xml:1474 msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" -"Por defecto: use los valores por defecto OpenLDAP, normalmente en <filename>/" -"etc/openldap/ldap.conf</filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (cadena)" +"Si los atributos USN no se soportan por el servidor, se usa en su lugar el " +"atributo modifyTimestamp." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" -"Especifica la ruta de un directorio que contiene los certificados de las " -"Autoridades de Certificación en ficheros individuales separados. Normalmente " -"los nombres de fichero necesita ser el hash del certificado seguido por " -"‘.0’. si esta disponible <command>cacertdir_rehash</command> puede ser usado " -"para crear los nombres correctos." +"<emphasis>Aviso:</emphasis> el valor más alto de USN puede ser actualizado " +"por tres tareas: 1) Por una actualización total o inteligente de sudo (si se " +"encuentran reglas actualizadas), 2) por la enumeración de usuarios y grupos " +"(si se encuentran usuarios y grupos habilitados y actualizados) y 3) " +"reconectando con el servidor (por defecto cada 15 minutos, vea " +"<emphasis>ldap_connection_expire_timeout</emphasis>)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (cadena)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#: sssd-ldap.5.xml:1498 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" -"Especifica el fichero que contiene el certificado para la clave del cliente." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "Especifica el archivo que contiene la clave del cliente." +"Si es true, SSSD descargará sólo las reglas que son aplicables a esta " +"máquina (usando las direcciones de host/red y nombres de host IPv4 o IPv6)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (cadena)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -"Especifica conjuntos de cifrado aceptable. Por lo general, es una lista " -"searada por dos puntos. Vea el formato en <citerefentry><refentrytitle>ldap." -"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (booleano)" +"Lista separada por espacios de nombres de host o nombres de dominio " +"totalmente cualificados que sería usada para filtrar las reglas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#: sssd-ldap.5.xml:1517 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" -"Especifica que la id_de proveedor de la conexión debe también utilizar " -"<systemitem class=\"protocol\">tls</systemitem> para proteger el canal." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (booleano)" +"Si esta opción está vacía, SSSD intentará descubrir el nombre de host y el " +"nombre de dominio totalmente cualificado automáticamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -"Especifica que SSSD intentaría mapear las IDs de usuario y grupo desde los " -"atributos ldap_user_objectsid y ldap_group_objectsid en lugar de apoyarse en " -"ldap_user_uid_number y ldap_group_gid_number." +"Si <emphasis>ldap_sudo_use_host_filter</emphasis> es <emphasis>false</" +"emphasis> esta opción no tiene efecto." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." -msgstr "" -"Actualmente está función soporta sólo mapeos de objectSID de ActiveDirectory." +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" +msgstr "Por defecto: no especificado" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" -msgstr "ldap_min_id, ldap_max_id (entero)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#: sssd-ldap.5.xml:1536 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -"En contraste con el SID basado en mapeo de ID que se usa si ldap_id_mapping " -"está establecido a true el rango de ID permitido para ldap_user_uid_number y " -"ldap_group_gid_number está sin consolidar. En una configuración con " -"subdominios de confianza, esto podría producir colisiones de ID. Para evitar " -"las colisiones ldap_min_id y ldap_max_id pueden er establecidos para " -"restringir el rango permitido para las IDs que son leídas directamente desde " -"el servidor. Los subdominios pueden elegir otros rangos para asignar IDs." +"Lista separada por espacios de direcciones de host/red IPv4 o IPv6 que sería " +"usada para filtrar las reglas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" -msgstr "Predeterminado: no establecido (ambas opciones se establecen a 0)" +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"esta opción está vacía, SSSD intentará descrubrir las direcciones " +"automáticamente." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (cadena)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "sudo_include_netgroups (booleano)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#: sssd-ldap.5.xml:1559 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." -msgstr "" -"Especifica el mecanismo SASL a usar. Actualmente solo están probados y " -"soportados GSSAPI y GSS-SPNEGO." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"Si el backend admite subdominios el valor de ldap_sasl_mech es heredado " -"automáticamente por los subdominios. Si se necesita un valor diferente para " -"un subdominio puede ser sobrescrito estabeciendo ldap_sasl_mech para este " -"subdominio explícitamente. Por favor vea la SECCIÓN DOMINIO DE CONFIANZA es " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> para más detalles." +"Si está a true SSSD descargará cada regla que contenga un grupo de red en el " +"atributo sudoHost." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (cadena)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (booleano)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1577 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Si es verdad SSSD descargará cada regla que contenga un comodín en el " +"atributo sudoHost." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -"Especifica la identificación de autorización SASL a usar. Cuando son usados " -"GSSAPI/GSS-SPNEGO, esto representa el principal Kerberos usado para " -"autenticación al directorio. Esta opción puede contener el principal " -"completo (por ejemplo host/myhost@EXAMPLE.COM) o solo el nombre principal " -"(por ejemplo host/myhost). Por defecto, el valor no está establecido y se " -"usan los siguientes principales: <placeholder type=\"programlisting\" id=" -"\"0\"/> Si no se encuentra ninguno de ellos, se devuelve en primer principal " -"en la pestaña." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "Por defecto: host/nombre_de_host@REALM" +"¡Usar comodines es una operación que es muy costosa de evaluar en el lado " +"del servidor LDAP!" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -"Especifica el reino SASL a usar. Cuando no se especifica, esta opción se " -"pone por defecto al valor de krb5_realm. Si ldap_sasl_authid contiene el " -"reino también, esta opción se ignora." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "Por defecto: el valor de krb5_realm." +"Esta página de manual sólo describe el atributo de nombre mapping. Para una " +"explicación detallada de la semántica del atributo relacionada con sudo, vea " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "OPCIONES AUTOFS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" -"Si se fija en true, la librería LDAP llevaría a cabo una búsqueda inversa " -"para para canocalizar el nombre de host durante una unión SASL." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Predeterminado: false;" +"Algunos de los valores por defecto para los parámetros de abajo dependen del " +"esquema LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (cadena)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." -msgstr "Especifica la pestaña a usar cuando se utiliza SASL/GSSAPI/GSS-SPNEGO." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." +msgstr "El nombre del mapa maestro de montaje automático en LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" -msgstr "" -"Por defecto: Keytab del sistema, normalmente <filename>/etc/krb5.keytab</" -"filename>" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "Pfredeterminado: auto.master" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "OPCIONES AVANZADAS" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (booleano)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 -msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." -msgstr "" -"Especifica que id_provider debería iniciar las credenciales Kerberos (TGT). " -"Esta acción solo se lleva a cabo si se usa SASL y el mecanismo seleccionado " -"es GSSAPI o GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (entero)" +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -"Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI o GSS-" -"SPNEGO." +"Si la opción <quote>ldap_use_tokengroups</quote> está habilitada, las " +"búsquedas contra Active Directory no serán restringidas y devolverán todos " +"los grupos miembros, incluso sin mapeo GID. Se recomienda deshabilitar esta " +"función, si los nombres de grupo no están siendo visualizados correctamente." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Predeterminado: 86400 (24 horas)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" +msgstr "</note>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (cadena)" +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -"Especifica una lista separada por comas de direcciones IP o nombres de host " -"de los servidores Kerberos a los cuales se conectaría SSSD en orden de " -"preferencia. Para más información sobre failover y redundancia de servidor, " -"vea la sección <quote>FAILOVER</quote>. Un número de puerto opcional " -"(precedido de dos puntos) puede ser añadido a las direcciones o nombres de " -"host. Si está vacío, el servicio descubridor está habilitado – para más " -"información, vea la sección <quote>SERVICE DISCOVERY</quote>." +"Estas opciones están soportadas por dominios LDAP, pero deberían ser usadas " +"con precaución. Por favor incluyalas en su configuración si usted sabe lo " +"que está haciendo. <placeholder type=\"variablelist\" id=\"0\"/> " +"<placeholder type=\"variablelist\" id=\"1\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EJEMPLO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -"Cuando se utiliza el servicio descubiertos para servidores KDC o kpasswd, " -"SSSD primero busca entradas DNS que especifiquen _udop como protocolo y " -"regresa a _tcp si no se encuentra nada." +"El siguiente ejemplo asume que SSSS está configurado correctamente y LDAP " +"está fijado a uno de los dominios de la sección <replaceable>[domains]</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Este opción se llamaba <quote>krb5_kdcip</quote> en las revisiones más " -"tempranas de SSSD. Mientras el legado de nombre se reconoce por el tiempo " -"que sea, los usuarios son advertidos para migrar sus ficheros de " -"configuración para usar <quote>krb5_server</quote> en su lugar." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (cadena)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." -msgstr "" -"Especifica el REALM Kerberos (para autorización SASL/GSSAPI/GSS-SPNEGO)." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "EJEMPLO DE FILTRO DE ACCESO LDAP" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" -msgstr "" -"Predeterminado: Predeterminados del sistema, vea <filename>/etc/krb5.conf</" -"filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (boolean)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -"Especifica si el host principal sería estandarizado cuando se conecte a un " -"servidor LDAP. Esta función está disponible con MIT Kerberos >= 1.7" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (booleano)" +"El siguiente ejemplo asume que SSSD está correctamente configurado y usa " +"ldap_access_order=lockout." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Especifica si el SSSD debe instruir a las librerías Kerberos que ámbito y " -"que KDCs usar. Esta opción está por defecto, si la deshabilita, necesita " -"configurar las librerías Kerberos usando el fichero de configuración " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTAS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -"Vea la página de manual <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry> para más información sobre el complemento " -"localizador." +"Las descripciones de algunas de las opciones de configuración en esta página " +"de manual están basadas en la página de manual <citerefentry> " +"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> de la distribución OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Módulo PAM para SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -"Seleccione la política para evaluar la caducidad de la contraseña en el lado " -"del cliente. Los siguientes valores son permitidos:" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -"<emphasis>none</emphasis> - Sin evaluación en el lado cliente. Esta opción " -"no puede deshabilitar las políticas de password en el lado servidor." +"<command>pam_sss.so</command> es la interfaz PAM para el demonio Servicios " +"de Seguridad de Sistema (SSSD). Los errores y resultados son registrados a " +"través de <command>syslog(3)</command> con la facilidad LOG_AUTHPRIV." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "Suprime el registro de mensajes de usuarios desconocidos." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -"<emphasis>shadow</emphasis> - Usa los atributos de estilo " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> para evaluar si la contraseña ha expirado." +"Si <option>forward_pass</option> está fijada el password introducido se pone " +"en la pila para que lo usen otros módulos PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -"<emphasis>mit_kerberos</emphasis> - Usa los atributos utilizados por MIT " -"Kerberos para determinar si el password ha expirado. Use " -"chpass_provider=krb5 para actualizar estos atributos cuando se cambia el " -"password." +"El argumento use_first_pass fuerza al módulo a usar un módulo de password " +"apilado previamente y nunca preguntará al usuario - si no hay password " +"disponible o el password no es apropiado, se denegará el acceso al usuario." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -"<emphasis>Aviso</emphasis>: si está configurada una política de contraseña " -"en el lado del servidor siempre tiene prioridad sobre la política " -"establecida por esta opción." +"Cuando cambia el password fuerza al módulo a fijar el nuevo password a uno " +"suministrado por un módulo de password previamente apilado." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -"Especifica si el seguimiento de referencias automático debería ser " -"habilitado." +"Si el usuario especificado es preguntado N veces por un password si la " +"autenticación falla. Por defecto es 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -"Por favor advierta que sssd sólo soporta seguimiento de referencias cuando " -"está compilado con OpenLDAP versión 2.4.13 o más alta." +"Por favor advierta que esta opción puede no trabajar como se espera llamando " +"PAM a manejar el diálogo de usuario por el mismo. Un ejecplo típico es " +"<command>sshd</command> con <option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -"Al perseguir referencia se puede incurrir en una penalización de rendimiento " -"en entornos que lo usen pesadamente, un ejemplo notable es Microsoft Active " -"Directory. Si su ajuste no requieren de hecho el uso de referencias, fijar " -"esta opción a false le llevará a una notable mejora de rendimiento." +"Si se especifica esta opción y el usuario no existe, el módulo PAM devolverá " +"PAM_IGNORE. Esto origina que el marco de referencia PAM ignore este módulo." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -"Especifica el nombre del servicio para utilizar cuando está habilitado el " -"servicio de descubrimiento." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Predeterminado: ldap" +"Especifica que el módulo PAM debería devolver PAM_IGNORE si no puede " +"contactar con el demonio SSSD. Esto causa que el marco de referencia PAM " +"ignore este módulo." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" +msgstr "<option>domains</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -"Especifica el nombre del servicio para utilizar al buscar un servidor LDAP " -"que permita cambios de contraseña cuando está habilitado el servicio de " -"descubrimiento." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" -msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (booleano)" +"Permite al administrador restringir los dominios contra los que un servicio " +"PAM particular puede autenticarse. El formato es una lista separada por " +"comas de nombres de dominio SSSD, como se especifica en el fichero sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -"Especifica si actualizar el atributo ldap_user_shadow_last_change con días " -"desde el Epoch después de una operación de cambio de contraseña." +"AVISO: Se debe usar junto con las opciones <quote>pam_trusted_users</quote> " +"y <quote>pam_public_domains</quote>. Por favor vea la página de manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para mas información sobre estas dos opciones del " +"respondedor PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "<option>allow_missing_name</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -"Si está usando access_provider = ldap y ldap_access_order = filter " -"(predeterminado), esta opción es obligatoria. Especifica un criterio de " -"filtro de búsqueda LDAP que debe cumplirse para que el usuario obtenga " -"acceso a este host. Si access_provider = ldap, ldap_access_order = filter y " -"esta opción no estñan establecidos resultará que todos los usuarios tendrán " -"el acceso denegado. Use access_provider = permit para cambiar este " -"comportamiento predeterminado. Por favor advierta que este filtro se aplica " -"sobre la entrada LDAP del usuario y, por lo tanto, el filtrado basado en " -"grupos anidados puede no funcionar (e.g. el atributo memberOf sobre entradas " -"AD apunta solo a los parientes directos). Si se requiere el filtrado basado " -"en grupos anidados, vea por favor <citerefentry> <refentrytitle>sssd-simple</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Ejemplo:" +"El propósito principal de esta opción es dejar que SSSD determine el nombre " +"de usuario en base a información adicional, e.g. el certificado de una " +"Smartcard." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 #, no-wrap msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" +"auth sufficient pam_sss.so allow_missing_name\n" " " msgstr "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" +"auth sufficient pam_sss.so allow_missing_name\n" " " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -"Este ejemplo significa que el acceso a este host está restringido a los " -"usuarios cuyo atributo employeeType esté establecido a \"admin\"." +"El caso de uso actual son los administradores de inicio de sesión que pueden " +"monitorear un lector de tarjetas inteligentes para eventos de tarjetas. En " +"el caso de que una Smartcard se inserte el administrador de inicio de sesión " +"llamara a la pila PAM que incluye una línea como <placeholder type=" +"\"programlisting\" id=\"0\"/> En este caso SSSD intentará determinar el " +"nobre de usuairo en base al contenido de la tarjeta inteligente, se lo " +"devolverá a pam_sss quien finalmente lo pondrá en la pila PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" +msgstr "<option>prompt_always</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -"El almacenamiento en caché sin conexión para esta función está limitado a " -"determinar si el último inicio de sesión del usuario recibió permiso de " -"acceso. Si obtuvieron permiso de acceso durante su último inicio de sesión, " -"se les seguirán otorgando acceso sin conexión y viceversa." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "Predeterminado: vacío" +"Solicita siempre al usuario las credenciales. Con esta opción las " +"credenciales pedidas por otros módulos PAM, normalmente una contraseña, " +"serán ignoradas y pam_sss solicitará las credenciales otra vez. En base a la " +"respuesta pre autorización de SSSD pam_sss debe solicitar una contraseña, un " +"Smartcard PIN u otras credenciales." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" +msgstr "<option>try_cert_auth</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -"Con esta opción pueden ser habilitados los atributos de evaluación de " -"control de acceso del lado cliente." +"Intenta usar autenticación basada en certificado, i.e. autenticación con una " +"tarjeta inteligente o dispositivos similares. Si hay disponible una " +"Smartcard y el servicio tiene permitido la autenticación Smartcard se le " +"pedirá al usuario un PIN y continuará la autenticación basada en certificado" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -"Por favor advierta que siempre se recomienda utilizar el control de acceso " -"del lado servidor, esto es el servidor LDAP denegaría petición de enlace con " -"una código de error definible aunque el password sea correcto." +"Si no hay Smartcard disponible o la autenticación basada en certificado no " +"está permitida para el servicio actual se devuelve PAM_AUTHINFO_UNAVAIL." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "Los siguientes valores están permitidos:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" +msgstr "<option>require_cert_auth</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"<emphasis>shadow</emphasis>: usa el valor de ldap_user_shadow_expire para " -"determinar si la cuenta ha expirado." +"Hace la autenticación en base a certificado, i.e. autenticación con " +"Smartcard o dispositivos similares. Si no hay una Smartcard disponible se " +"pedirá al usuario que inserte una. SSSD esperará una Smartcard hasta el " +"tiempo límite definido por p11_wait_for_card_timeout passed, más detalles en " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -"<emphasis>ad</emphasis>: usa el valor del campo de 32 bit " -"ldap_user_ad_user_account_control y permite el acceso si el segundo bit no " -"está fijado. Si el atributo está desaparecido se concede el acceso. También " -"se comprueba el tiempo de expiración de la cuenta." +"Si no hay Smartcard disponible después del tiempo límite o no está pemitida " +"la autenticación basada en certificado para el servicio actual se devolverá " +"PAM_AUTHINFO_UNAVAIL." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 -msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." -msgstr "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: usa el valor de ldap_ns_account_lock para comprobar si se permite " -"el acceso o no." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "TIPOS DE MÓDULOS SUMINISTRADOS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -"<emphasis>nds</emphasis>: los valores de " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled y " -"ldap_user_nds_login_expiration_time se usan para comprobar si el acceso está " -"permitido. Si ambos atributos están desaparecidos se concede el acceso." +"Todos los tipos de módulos (<option>account</option>, <option>auth</option>, " +"<option>password</option> y <option>session</option>) son suministrados." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -"Por favor advierta que la opción de configuración ldap_access_order " -"<emphasis>debe</emphasis> incluir <quote>expire</quote> con el objetivo de " -"la opción ldap_account_expire_policy funcione." +"Si el respondedor PAM de SSSD no está corriendo, e.g. si el socket " +"respondedor PAM no esta disponible, pam_sss devolverá PAM_USER_UNKNOWN " +"cuando se llame como módulo <option>account</option> para evitar problemas " +"con usuarios de otras fuentes durante el control de acceso." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (cadena)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "ARCHIVOS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"Lista separada por coma de opciones de control de acceso. Los valores " -"permitidos son:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filtro</emphasis>: utilizar ldap_access_filter" +"Si un password se resetea por un fallo de root, como el correspondiente " +"proveedor SSSD no soporta el reseteo de password, se puede mostrar un " +"mensaje individual. Este mensaje puede, por ejemplo, contener instrucciones " +"sobre como resetear un password." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"<emphasis>lockout</emphasis>: usar bloqueo de cuenta. Si se establece, esta " -"opción deniega el acceso en el caso de que el atributo ldap " -"'pwdAccountLockedTime' esté presente y tenga un valor de '000001010000Z'. " -"Por favor vea la opción ldap_pwdlockout_dn. Por favor advieta que " -"'access_provider = ldap' debe ser establecido para que está característica " -"funciones." +"El mensaje se lee desde el fichero <filename>pam_sss_pw_reset_message.LOC</" +"filename> donde LOC destaca una cadena de lugar devuelta por <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. Si no hay fichero coincidente se muestra el contenido de " +"<filename>pam_sss_pw_reset_message.txt</filename>. Root debe ser el " +"propietario de los ficheros y sólo root puede tener permisos de lectura y " +"escritura mientras que todos los demás usuarios sólo tienen permisos de " +"lectura." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -"<emphasis> Por favor tenga en cuenta que esta opción es reemplazada por la " -"opción <quote>ppolicy</quote> y puede ser quitada en un futuro lanzamiento. " -"</emphasis>" +"Estos ficheros son buscados en el directorio <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. Si no hay archivos coincidentes se muestra un " +"mensaje genérico." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 -msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." -msgstr "" -"<emphasis>ppolicy</emphasis>: usar bloqueo de cuenta. Si se establece, esta " -"opción deniega el acceso en el caso de que el atributo ldap " -"'pwdAccountLockedTime' esté presente y tenga un valor de '000001010000Z' o " -"represente cualquier momento en el pasado. El valor del atributo " -"'pwdAccountLockedTime' debe terminar con 'Z', que denota la zona horaria " -"UTC. Otras zonas horarias no se soportan actualmente y llevarán a \"access-" -"denied\" cuando los usuarios intenten acceder. Por favor vea la opción " -"ldap_pwdlockout_dn. Por favor advierta que 'access_provider = ldap' debe " -"estar establecido para que esta característica funcione." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "<emphasis>caducar</emphasis>: utilizar ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Complemento localizador Kerberos" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> Estas opciones son útiles si los " -"usuarios están interesados en que se les avise de que la contraseña está " -"próxima a expirar y la autenticación está basada en la utilización de un " -"método distinto a las contraseñas - por ejemplo claves SSH." +"El complemento localizador Kerberos <command>sssd_krb5_locator_plugin</" +"command> es usado por libkrb5 para encontrar KDCs en un reino Kerberos dado. " +"SSSD proporciona dicho complemento para guiar a todos los clientes Kerberos " +"es un sistema a un único KDC. En general, no debería importar con qué KDC " +"está hablando un proceso de cliente. Pero hay casos, e.g. después de un " +"cambio de contraseña, donde no todos los KDCs etán en el mismo estado porque " +"los nuevos datos tienen que ser replicados primero. Para evitar fallos de " +"autenticación inesperados y quizás bloqueos de cuentas sería bueno hablar " +"con un único KDC todo lo que sea posible." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -"La diferencia entre estas opciones es la acción que se toma si la contraseña " -"de usuario ha expirado: pwd_expire_policy_reject - se deniega el acceso al " -"usuario, pwd_expire_policy_warn - el usuario es todavía capaz de acceder, " -"pwd_expire_policy_renew - al usuario se le pide que cambie la contraseña " -"inmediatamente." +"libkrb5 buscará el complemento localizador en el subdirectorio libkrb5 del " +"directorio de complementos Kerberos, vea más detalles en plugin_base_dir en " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. El complemento solo se puede deshabilitar " +"borrando el fichero del complemento. No hay opción en a configuración de " +"Kerberos para deshabilitarlo. Pero la variable de entorno " +"SSSD_KRB5_LOCATOR_DISABLE puede ser usada para deshabilitar el complemento " +"en comandos individuales. Alternativamente la opción SSSD " +"krb5_use_kdcinfo=False puede ser usada para no generar los datos necesarios " +"para el complemento. Con esto, todavía se llama al complemento, pero no " +"proporcionará datos a la persona que llama para que libkrb5 pueda recurrir a " +"otros métodos definidos en krb5.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -"Nota: si la contraseña de usuario expiró, SSSD no solicita ningún mensaje " -"explícito." +"El complemento lee la información sobre los KDCs de un reino dado desde un " +"fichero llamado <filename>kdcinfo.REALM</filename>. El fichero debería " +"contener uno o más nombres de DNS o direcciones IP ya sea en anotación " +"decimal con puntos IPv4 o en anotación hexadecimal IPv6. Su puede añadir un " +"número de puerto adicional al final separado con dos puntos, la dirección " +"IPv6 tiene que estar encerrada entre corchetes en este caso como es usual. " +"Las entradas válidas son:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" +msgstr "kdc.example.com" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" +msgstr "kdc.example.com:321" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "1.2.3.4" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" +msgstr "5.6.7.8:99" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" +msgstr "2001:db8:85a3::8a2e:370:7334" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" +msgstr "[2001:db8:85a3::8a2e:370:7334]:321" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -"Por favor advierta que 'access_provider = ldap' debe estar establecido para " -"que esta función trabaje. También 'ldap_pwd_policy' debe estar establecido " -"para una política de contraseña apropiada." +"Krb5 auth-provider de SSSD que es utilizado por IPA y los proveedores AD que " +"también agrega la dirección del actual KDC o controlador de dominio SSSD se " +"utiliza para este fichero." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -"<emphasis>authorized_service</emphasis>: utilizar el atributo " -"autorizedService para determinar el acceso" +"En entornos con KDCs de solo lectura y lectura-escritura donde los clientes " +"esperan usar las instancias solo lectura para las operaciones generales y " +"solo KDC de lectura-escritura para cambio de configuración como cambios de " +"contraseña se utiliza <filename>kpasswdinfo.REALM</filename> también para " +"identificar KDCs de lectura-escritura. Si existe este fichero para el reino " +"dado el contenido será usado por el complemento para contestar las " +"peticiones de un servidor kpasswd o kadmin opara el maestro específico KDC " +"MIT Kerberos. Si la dirección contiene un número de puerto el puerto " +"predeterminado KDC 88 será usado para los posteriores." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -"<emphasis>host</emphasis>: usa el atributo host para determinar el acceso" +"No todas las implementaciones Kerberos soportan el uso de plugins. Si " +"<command>sssd_krb5_locator_plugin</command> no está disponible en su sistema " +"usted tiene que editar /etc/krb5.conf para reflejar sus ajustes Kerberos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -"<emphasis>rhost</emphasis>: usar el atributo rhost para determinar si el " -"host remoto puede acceder" +"Si la variable de entorno SSSD_KRB5_LOCATOR_DEBUR está fijada a cualquier " +"valor los mensajes de depuración se enviarán a stderr." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -"Por favor advierta el campo rhost en pam es establecido por la aplicación, " -"es mejor comprobar que la aplicación lo envía a pam, antes de habilitar esta " -"opción de control de acceso" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Predeterminado: filter" +"Si la variable de entorno SSSD_KRB5_LOCATOR_DISABLE está establecida a " +"cualquier valor el complemento es deshabilitado y y devolverá " +"KRB5_PLUGIN_NO_HANDLE al llamante." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -"Tenga en cuenta que es un error de configuración si un valor es usado más de " -"una vez." +"Si la variable de entorno SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES etá " +"establecida a cualquier valor el complemento intentará resolver todos los " +"nombres DNS en el fichero kdcinfo. Por defecto el complemento devuelve " +"KRB5_PLUGIN_NO_HANDLE al llamante inmediatamente en el primer fallo " +"resolviendo DNS." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" -msgstr "ldap_pwdlockout_dn (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 -msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -"Esta opción especifica la DN de la contraseña de entrada a la política sobre " -"un servidor LDAP. Tenga en cuenta que la ausencia de esta opción en sssd." -"conf en caso de verificación de bloqueo de cuenta habilitada dará como " -"resultado el acceso denegado ya que los atributos ppolicy en el servidor " -"LDAP no pueden verificarse correctamente." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" -msgstr "Ejemplo: cn=ppolicy,ou=policies,dc=example,dc=com" +"el fichero de configuración para en proveedor de control de acceso 'simple' " +"de SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" -msgstr "Predeterminado: cn=ppolicy,ou=policies,$ldap_search_base" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -"Especifica cómo se hace la eliminación de referencias al alias cuando se " -"lleva a cabo una búsqueda. Están permitidas las siguientes opciones:" +"Esta página de manual describe la configuración del proveedor de control de " +"acceso simple para <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Para una referencia detallada de " +"sintaxis, vea la sección <quote>FILE FORMAT</quote> de la página de manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -"<emphasis>never</emphasis>: Nunca serán eliminadas las referencias al alias." +"El proveedor de acceso simple otorga o deniega el acceso en base a una lista " +"de acceso o denegación de usuarios o grupo de nombres. Se aplican las " +"siguientes reglas:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Si todas las listas están vacías, se concede acceso" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -"<emphasis>searching</emphasis>: Las referencias al alias son eliminadas en " -"subordinadas del objeto base, pero no en localización del objeto base de la " -"búsqueda." +"Si se ha suministrado alguna lista, el orden de evaluación es permitir," +"denegar. Esto significa que cualquier regla de denegación será saltada por " +"cualquier regla de permiso coincidente." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -"<emphasis>finding</emphasis>: Sólo se eliminarán las referencias a alias " -"cuando se localice el objeto base de la búsqueda." +"Si una o ambas listas de \"permiso\" se suministran, todos los usuarios " +"serán denegados a no ser que aparezcan en la lista." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" -"<emphasis>always</emphasis>: Las referencias al alias se eliminarán tanto " -"para la búsqueda como en la localización del objeto base de la búsqueda." +"Si sólo se suministran listas de \"denegación\", todos los usuarios " +"obtendran acceso a no ser que aparezcan en la lista." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" -msgstr "" -"Por defecto: Vacío (esto es manejado como <emphasis>nunca</emphasis> por las " -"librerías cliente LDAP)" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "Lista separada por comas de usuarios a los está permitido el acceso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (boolean)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" -"Permite retener los usuarios locales como miembros de un grupo LDAP para " -"servidores que usan el esquema RFC2307." +"Lista separada por comas de usuarios a los que explicítamente se les deniega " +"el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#: sssd-simple.5.xml:100 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -"En algunos entornos donde se usa el esquema RFC2307, los usuarios locales " -"son hechos miembros de los grupos LDAP añadiendo sus nombres al atributo " -"memberUid. La autoconsistencia del dominio se ve comprometida cuando se hace " -"esto, de modo que SSSD debería normalmente quitar los usuarios " -"“desparecidos” de las afiliaciones a grupos escondidas tan pronto como " -"nsswitch intenta ir a buscar información del usuario por medio de las " -"llamadas getpw*() o initgroups()." +"Lista separada por comas de grupos que tienen permitido el acceso. Esto se " +"aplica sólo a los grupos dentro del dominio SSSD. Los grupos locales no " +"serán evaluados." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 +#: sssd-simple.5.xml:111 msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -"Esta opción cae de nuevo en comprobar si los usuarios locales están " -"referenciados, y los almacena en caché de manera que más tarde las llamadas " -"initgroups() aumentará los usuarios locales con los grupos LDAP adicionales." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" -msgstr "wildcard_limit (entero)" +"Lista separada por comas de grupos a los que explicítamente se les deniega " +"el acceso. Esto se aplica sólo a los grupos dentro del dominio SSSD. Los " +"grupos locales no serán evaluados." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Especifica un límite superior sobre el número de entradas que son " -"descargadas durante una búsqueda de comodín." +"Vea la sección <quote>DOMAIN SECTIONS</quote> de la página de manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para detalles sobre la configuración de un " +"dominio SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -"En este momento solo el respondedor InfoPipe soporta búsqueda de comodín" +"No especificando valores para ninguna de las listas es equivalente a " +"saltarle totalmente. Tenga cuidado de esto mientras genera parámetros para " +"el simple proveedor usando secuencias de comandos automatizadas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" -msgstr "Predeterminado: 1000 (frecuentemente el tamaño de una página)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"Por favor advierta que es un error de configuración si tanto, " +"simple_allow_users como simple_deny_user, están definidos." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#: sssd-simple.5.xml:133 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -"Todas las opciones de configuración comunes que se aplican a los dominios " -"SSSD también se aplican a los dominios LDAP. Vea la sección <quote>DOMAIN " -"SECTIONS</quote> de la página de manual <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para detalles " -"completos. <placeholder type=\"variablelist\" id=\"0\"/>" +"El siguiente ejemplo asume que SSSD está correctamente configurado y example." +"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " +"Este ejemplo muestra sólo las opciones específicas del proveedor de acceso " +"simple." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "OPCIONES SUDO" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#: sssd-simple.5.xml:150 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" +"La jerarquía completa de membresía del grupo se resuelve antes de la " +"comprobación de acceso, así incluso los grupos anidados se pueden incluir en " +"las listas de acceso. Por favor tenga cuidado en que la opción " +"<quote>ldap_group_nesting_level</quote> puede impactar en los resultados y " +"deberia ser establecidad a un valor suficiente. Opción (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "sss-certmap" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." -msgstr "El objeto clase de una regla de entrada sudo en LDAP." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "Reglas de Correspondencia y Asignación de Certificados SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "Por defecto: sudoRole" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" +"La página de manual describe las reglas que pueden ser usadas por SSSD y " +"otros componentes para corresponder con los certificados X.509 y asignarlos " +"a cuentas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." -msgstr "El atributo LDAP que corresponde a la regla nombre de sudo." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "El atributo LDAP que corresponde al nombre de comando." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "Por defecto: sudoCommand" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -"El atributo LDAP que corresponde al nombre de host (o dirección IP del host, " -"red IP del host o grupo de red del host)" +"Cada regla tiene cuatro componentes, una <quote>priority</quote>, una " +"<quote>matching rule</quote>, una <quote>mapping rule</quote> y una " +"<quote>domain list</quote>. Todos los componentes son opcionales. Si no hay " +"<quote>priority</quote> se añadirá la regla con el nivel de prioridad más " +"bajo. La <quote>matching rule</quote> predeterminada hará coincidir los " +"certificados con la clave de utilización digitalSignature y la clave de " +"utilización extendida clientAuth. Si <quote>mapping rule</quote> está vacía " +"los certificados serán buscados en el atributo userCertificate como DER " +"codificado en binario. Si no se dan dominios solo se buscará en el dominio " +"local." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "Por defecto: sudoHost" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "COMPONENTES DE LA REGLA" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "PRIORIDAD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -"El atributo LDAP que corresponde al nombre de usuario (o UID. nombre de " -"grupo o grupo de red del usuario)" +"Las reglas son procesados por prioridad sabiendo que el número '0' (cero) " +"indica la prioridad más alta. Más alto en número más baja la prioridad. Un " +"valor desaparecido indica la prioridad más baja. Las reglas de procesamiento " +"se para cuando una regla coincidente y no se comprueban más reglas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "Por defecto: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" +"Internamente la prioridad se trata como un entero no firmado de 32 bitr, la " +"utilización de in valor de prioridad superior a 4294967295 causará un error." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "REGLA DE COINCIDENCIA" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." -msgstr "El atributo LDAP que corresponde a las opciones sudo." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" +"La regla de coincidencia se usa para seleccionar un certificado al que sería " +"aplicado la regla de asignación. Usa un sistema similar al usado por la " +"opción <quote>pkinit_cert_match</quote> de MIT Kerberos. Consiste en una " +"clave encerrada entre '<' y '>' ue identifica una cierta parte del " +"certificado y un patrón para que la regla coincida. Se pueden unir varios " +"pares de palabras claves con '&&' (y) o '||' (o)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "Por defecto: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "<SUBJECT>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" +"Con esto una parte o todo el nombre de sujeto del certificado pueden " +"coincidir. Para la coincidencia se usa la sintaxis Expresión Regular " +"Extendida POSIX, vea detalles en regex(7)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -"El atributo LDAP que corresponde al nombre de usuario que los comandos " -"pueden ejecutar como." +"Para coincidir el nombre sujeto almacenado en el certificado en codificación " +"DER ASN.1 se convierte en una cadena de acuerdo a RFC 4514. Esto significa " +"que el componente de nombre más específico es el primero. Por favor advierta " +"que no todos los posibles nombres de atributo están cubiertos por RFC 4514. " +"Los nombres incluidos son 'CN', 'L', 'ST', 'O', 'OU', 'C', 'STREET', 'DC' y " +"'UID'. Otros nombres de atributo pueden ser mostrados de forma diferente " +"sobre plataformas distintas y por herramientas diferentes. Para evitar la " +"confusión es mejor que no se usen estos nombres de atributos o se cubran por " +"una expresión regular a medida." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "Por defectot: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "Ejemplo: <SUBJECT>.*,DC=MY,DC=DOMAIN" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "<ISSUER>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -"El atributo LDAP que corresponde al nombre de grupo o GID de grupo que puede " -"ejecutar comandos como." +"Con esto, se puede hacer coincidir una parte o el nombre completo del emisor " +"del certificado. Todos los comentarios para <SUBJECT> se le aplican " +"también." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "Por defecto: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "Ejemplo: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "<KU>key-usage" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -"El atributo LDAP que corresponde al inicio de fecha/hora para cuando la " -"regla sudo es válida." +"Esta opción se puede usar para especificar que valores de uso clave debe " +"tener el certificado. Se pueden usar los siguientes valores en una lista " +"separados por comas:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "Por defecto: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "digitalSignature" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "nonRepudiation" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." -msgstr "" -"El atributo LDAP que corresponde a la fecha/hora final, después de la cual " -"la regla sudo dejará de ser válida." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "Por defecto: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "dataEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "keyAgreement" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." -msgstr "El atributo LDAP que corresponde al índice de ordenación de la regla." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "keyCertSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "Por defecto: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "cRLSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (entero)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "encipherOnly" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." -msgstr "" -"Cuantos segundos esperará SSSD entre ejecutar un refresco total de las " -"reglas sudo (que descarga todas las reglas que están almacenadas en el " -"servidor)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "decipherOnly" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -"El valor debe ser mayor que <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +"Un valor numérico en el rango de un entero sin signo de 32 bit se puede usar " +"también para cubrir casos de uso especiales." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "Por defecto: 21600 (6 horas)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "Ejemplo: <KU>digitalSignature,keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (entero)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "<EKU>extended-key-usage" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" +"Esta opción se puede usar para especificar que uso de clave extendida puede " +"tener el certificado. El siguiente valor se puede usar en una lista separada " +"por comas:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." -msgstr "" -"Si los atributos USN no se soportan por el servidor, se usa en su lugar el " -"atributo modifyTimestamp." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "serverAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (booleano)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "clientAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." -msgstr "" -"Si es true, SSSD descargará sólo las reglas que son aplicables a esta " -"máquina (usando las direcciones de host/red y nombres de host IPv4 o IPv6)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "codeSigning" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "emailProtection" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." -msgstr "" -"Lista separada por espacios de nombres de host o nombres de dominio " -"totalmente cualificados que sería usada para filtrar las reglas." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "timeStamping" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." -msgstr "" -"Si esta opción está vacía, SSSD intentará descubrir el nombre de host y el " -"nombre de dominio totalmente cualificado automáticamente." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "OCSPSigning" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." -msgstr "" -"Si <emphasis>ldap_sudo_use_host_filter</emphasis> es <emphasis>false</" -"emphasis> esta opción no tiene efecto." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "KPClientAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "Por defecto: no especificado" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "pkinit" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "msScLogin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -"Lista separada por espacios de direcciones de host/red IPv4 o IPv6 que sería " -"usada para filtrar las reglas." +"La utilización de claves extendidas que no están listadas arriba pueden ser " +"especificadas con sus OID en anotación decimal con puntos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." -msgstr "" -"esta opción está vacía, SSSD intentará descrubrir las direcciones " -"automáticamente." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "Ejemplo: <EKU>clientAuth,1.3.6.1.5.2.3.4" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "sudo_include_netgroups (booleano)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "<SAN>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -"Si está a true SSSD descargará cada regla que contenga un grupo de red en el " -"atributo sudoHost." +"Para ser compatible con la utilización de MIT Kerberos esta opción " +"coincidirá con los principios de Kerberos en PKINIT o AD NT Principal SAN " +"como hace <SAN:Principal>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (booleano)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "Ejemplo: <SAN>.*@MY\\.REALM" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." -msgstr "" -"Si es verdad SSSD descargará cada regla que contenga un comodín en el " -"atributo sudoHost." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "<SAN:Principal>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" +"Haga coincidir los principios principales de Kerberos en la SAN principal de " +"PKINIT o AD NT." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 -msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" -msgstr "" -"Esta página de manual sólo describe el atributo de nombre mapping. Para una " -"explicación detallada de la semántica del atributo relacionada con sudo, vea " -"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "Example: <SAN:Principal>.*@MY\\.REALM" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "OPCIONES AUTOFS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "<SAN:ntPrincipalName>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 -msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" +"Haga coincidir los principales de Kerberos de la SAN principal de AD NT." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "<SAN:pkinit>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "Haga coincidir los principales de Kerberos con los PKINIT SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." -msgstr "El objeto clase de una entrada de mapa de automontaje en LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "<SAN:dotted-decimal-oid>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" +"Toma el valor del componente SAN otherName dado por el de OID en anotación " +"decimal con puntos, lo interpreta como una cadena e intenta hacerlo " +"coincidir con la expresión regular." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "Example: <SAN:1.2.3.4>test" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." -msgstr "El nombre de una entrada de mapa de automontaje en LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "<SAN:otherName>base64-string" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" +"Haga una coincidencia binaria con el blob codificado en base64 con todos los " +"demás componentes SAN otheName. Con esta opción es posible la coincidencia " +"con los componentes otherName personales con codificación especial que " +"podrían no ser tratados como cadenas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "Example: <SAN:otherName>MTIz" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 -msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "<SAN:rfc822Name>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "Haga coincidir el valor del rfc822Name SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "Example: <SAN:rfc822Name>.*@email\\.domain" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 -msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." -msgstr "" -"La clave de una entrada de automontaje en LDAP. La entrada corresponde " -"normalmente a un punto de montaje." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "<SAN:dNSName>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "Haga coincidir el valor del dNSName SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 -msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "<SAN:x400Address>base64-string" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "Binario coincide con el valor del x400Address SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "Example: <SAN:x400Address>MTIz" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "<SAN:directoryName>regular-expression" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" +"Haga coincidir el valor del directoryName SAN. Los mismos comentarios dados " +"para <ISSUER> and <SUBJECT> se aplican aquí también." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "OPCIONES AVANZADAS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "Example: <SAN:directoryName>.*,DC=com" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "<SAN:ediPartyName>base64-string" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "Hacer coincidir binario el valor del ediPartyName SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "Ejemplo: <SAN:ediPartyName>MTIz" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "<SAN:uniformResourceIdentifier>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "Hacer coincidir el valor del uniformResourceIdentifier SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "Ejemplo: <SAN:uniformResourceIdentifier>URN:.*" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "<SAN:iPAddress>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "Haga coincidir el valor del iPAddress SAN." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 -msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "Ejemplo: <SAN:iPAddress>192\\.168\\..*" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "EJEMPLO" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "<SAN:registeredID>regular-expression" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -"El siguiente ejemplo asume que SSSS está configurado correctamente y LDAP " -"está fijado a uno de los dominios de la sección <replaceable>[domains]</" -"replaceable>." +"Haga coincidir el valor de registeredID SAN como cadena decimal con puntos." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "Ejemplo: <SAN:registeredID>1\\.2\\.3\\..*" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"Las opciones disponibles son: <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "REGLA DE MAPEO" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" +"La regla de mapeo se usa para asociar un certificado con una o mas cuentas. " +"Una Smartcard con el certificado y la clave privada correspondiente puede " +"ser usada entonces para autenticar una de estas cuentas." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" +"Actualmente SSSD básicamente solo soporta LDAP para buscar información de " +"usuario (la excepción es el proveedor proxy que no tiene relevancia aqui). " +"Por esto la regla de mapeo se basa en una búsqueda por filtro de sintaxis " +"LDAP con plantillas para añadir el contenido del certificado al filtro. Se " +"espra que ese filtro solo contendrá los datos específicos para el mapeo y " +"que la persona que llama lo incrustará en otro filtro para hacer la búsqueda " +"real. Debido a esto la cadena de filtro de empezar y terminar con '('and')' " +"respectivamente. " -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" +"En general se recomienda usar atributos del certificado y añadirlos a " +"atributos especiales al objeto usuario LDAP. E.g. el atributo " +"'altSecurityIdentities' en AD o el atributo 'ipaCertMapData' para IPA se " +"pueden usar." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "NOTAS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -"Las descripciones de algunas de las opciones de configuración en esta página " -"de manual están basadas en la página de manual <citerefentry> " -"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> de la distribución OpenLDAP 2.4." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" +"Debería preferible leer datos específicos del usuario del certificado, e.g. " +"una dirección de correo electrónico y buscarla en el servidor LDAP. La razón " +"es que los datos específicos del usuario en el LDAP podrían cambiar por " +"diversas razones y romper el mapeo. Por otro lado, sería difícil romper el " +"mapeo a propósito para un usuario específico." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "Módulo PAM para SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" +"Esta plantilla agregará el DN del emisor completo convertido en una " +"plantilla de acuerdo con el RFC 4514. Si se ordena X.500 (más especifico RDN " +"viene el último) se debería usar un opción con el prefijo '_x500'." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -"<command>pam_sss.so</command> es la interfaz PAM para el demonio Servicios " -"de Seguridad de Sistema (SSSD). Los errores y resultados son registrados a " -"través de <command>syslog(3)</command> con la facilidad LOG_AUTHPRIV." +"Las opciones de conversión que empiezan con 'ad_' usarán nombres de " +"atributos como los usados por AD, p. ej. 'S' en lugar de 'ST'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "Suprime el registro de mensajes de usuarios desconocidos." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -"Si <option>forward_pass</option> está fijada el password introducido se pone " -"en la pila para que lo usen otros módulos PAM." +"Las opciones de conversión que empiezan por 'nss_' usarán nombres de " +"atributos como los usados por NSS." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -"El argumento use_first_pass fuerza al módulo a usar un módulo de password " -"apilado previamente y nunca preguntará al usuario - si no hay password " -"disponible o el password no es apropiado, se denegará el acceso al usuario." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" +"La opción de conversión predeterminada es 'nss', i.e. los nombres de " +"atributo de acuerdo con la ordenación NSS y LDAP/RFC 4514." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -"Cuando cambia el password fuerza al módulo a fijar el nuevo password a uno " -"suministrado por un módulo de password previamente apilado." +"Ejemplo: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -"Si el usuario especificado es preguntado N veces por un password si la " -"autenticación falla. Por defecto es 0." +"Esta plantilla añadirá el sujeto completo DN convertido en una cadena de " +"acuerdo a RFC 4514. Si la ordenación X.500 (más específico RDN viene el " +"último) se usaría una opción con el prefijo '_x500'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -"Por favor advierta que esta opción puede no trabajar como se espera llamando " -"PAM a manejar el diálogo de usuario por el mismo. Un ejecplo típico es " -"<command>sshd</command> con <option>PasswordAuthentication</option>." +"Ejemplo: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "{cert[!(bin|base64)]}" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" +"Esta plantilla añadirá el certificado completo codificado DER como una " +"cadena al filtro de búsqueda. Dependiendo de la opción de conversión el " +"certificado binario se convierte en una secuencia hexadecimal escapada " +"'\\xx' o base64. La secuencia hexadecimal escapada es la predeterminada y " +"puede, por ejemplo, ser usada con el atributo LDAP 'userCertificate;binary'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "Ejemplo: (userCertificate;binary={cert!bin})" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "{subject_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" +"Esta plantilla añadirá el principal Kerberos bien desde el SAN usado por " +"pkinit o del usado por AD. El componente 'short_name' representa la primera " +"parte del principal antes del signo '@'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" +"Ejemplo: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "{subject_pkinit_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" +"Esta plantilla añadirá el principal Kerberos que es dado por el SAN usado " +"por pkinit. El componente 'short_name' representa la primera parte del " +"principal antes del signo '@'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" +"Ejemplo: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "{subject_nt_principal[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" +"Esta plantilla añadirá el principal Kerberos que es dado por el SAN usado " +"por AD. El componente 'short_name' represebta la primera parte del principal " +"antes del signo '@'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "{subject_rfc822_name[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" +"Esta plantilla añadirá la cadena que está almacenada en el componente " +"rfc822Name del SAN, normalmente una dirección de correo electrónico. El " +"componente 'short_name' representa la primera parte de la dirección antes " +"del signo '@'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" +"Ejemplo: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "{subject_dns_name[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" +"Esta plantilla añadirá la cadena que está almacenada en el componente " +"dNSName del SAN, normalmente un nombre de host totalmente cualificado. El " +"componente 'short_name' representa la primera parte del nombre antes del " +"primer signo '.'." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" +"Ejemplo: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "{subject_uri}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" +"Esta plantilla añadirá la cadena que está almacenada en el componente " +"uniformResourceIdentifier del SAN." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "Ejemplo: (uri={subject_uri})" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "{subject_ip_address}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" +"Esta plantilla añadirá la cadena que está almacenada en el componente " +"iPAddress del SAN." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "Ejemplo: (ip={subject_ip_address})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "{subject_x400_address}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" +"Esta plantilla añadirá el valor que está almacenado en el componente " +"x400Address del SAN como secuencia hexadecimal escapada." -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "TIPOS DE MÓDULOS SUMINISTRADOS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "Ejemplo: (attr:binary={subject_x400_address})" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -"Todos los tipos de módulos (<option>account</option>, <option>auth</option>, " -"<option>password</option> y <option>session</option>) son suministrados." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" +"Esta plantilla añadirá la cadena DN del valor que está almacenado en el " +"componente directoryName del SAN." -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "ARCHIVOS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "Ejemplo: (orig_dn={subject_directory_name})" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "{subject_ediparty_name}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -"Si un password se resetea por un fallo de root, como el correspondiente " -"proveedor SSSD no soporta el reseteo de password, se puede mostrar un " -"mensaje individual. Este mensaje puede, por ejemplo, contener instrucciones " -"sobre como resetear un password." +"Esta plantilla añadirá el valor que está almacenado en el componente " +"ediPartyName del SAN como secuencia hexadecimal escapada." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "Ejemplo: (attr:binary={subject_ediparty_name})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "{subject_registered_id}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -"El mensaje se lee desde el fichero <filename>pam_sss_pw_reset_message.LOC</" -"filename> donde LOC destaca una cadena de lugar devuelta por <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. Si no hay fichero coincidente se muestra el contenido de " -"<filename>pam_sss_pw_reset_message.txt</filename>. Root debe ser el " -"propietario de los ficheros y sólo root puede tener permisos de lectura y " -"escritura mientras que todos los demás usuarios sólo tienen permisos de " -"lectura." +"Esta plantilla añadirá la OID que está almacenada en el componente " +"registeredID del SAN como una cadena decimal con puntos.." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "Ejemplo: (oid={subject_registered_id})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Estos ficheros son buscados en el directorio <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. Si no hay archivos coincidentes se muestra un " -"mensaje genérico." +"La plantilla para añadir datos de certificado al filtro de búsqueda están " +"basados sobre cadenas formateadas en estilo Python. Consiste en una palabra " +"clave entre llaves con un subcomponente especificador opcional separado por " +"un '.' o una opción opcional de conversión/formateo separada por un '!'. Los " +"valores permitidos son: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "LISTA DE DOMINIO" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" +"Si la lista de dominio no está vacía los usuarios mapeados a un certificado " +"dado no serán buscados solo en el dominio local sino también en los dominios " +"listados siempre que sean conocidos por SSSD. Los dominios no conocidos por " +"SSSD serán ignorados." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" -msgstr "" +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Proveedor SSSD IPA" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#: sssd-ipa.5.xml:23 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Este página de manual describe la configuración del proveedor IPA para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Para una referencia de sintaxis detalladas, vea la sección " +"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#: sssd-ipa.5.xml:36 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" +"El proveedor IPA es un back end usado para conectar a un servidor IPA. (Vea " +"el sitio web freeipa.org para información sobre los servidores IPA). Este " +"proveedor requiere que la máquina este unido al dominio IPA; la " +"configuración es casi enteramente auto descubierta y obtenida directamente " +"del servidor." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#: sssd-ipa.5.xml:43 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" +"El proveedor IPA habilita a SSSD para usar el proveedor de identidad " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> y el proveedor de autenticación <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> con optimizaciones para entornos IPA. El proveedor IPA acepta " +"las mismas opciones que las usadas por los proveedores sssd-ldap y sssd-krb5 " +"con algunas excepciones. Sin embargo, no es necesario ni recomendable " +"establecer estas opciones." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" +"El proveedor IPA copia primariamente las opciones por defecto tradicionales " +"de los proveedores ldap y krb5 con algunas excepciones, las diferencias " +"están listadas en la sección <quote>OPCIONES PREDETERMINADAS MODIFICADAS</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" +"Como proveedor de acceso, el proveedor IPA usa reglas HBAC (control de " +"acceso basado en el host). Por favor vaya a freeipa.org para mas información " +"sobre HBAC. No se requiere configuración del proveedor de acceso en el lado " +"cliente." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" +"Si <quote>auth_provider=ipa</quote> o <quote>access_provider=ipa</quote> " +"está configurado en sssd.conf id_provider se debe establecer también a " +"<quote>ipa</quote>." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" +"El porveedor IPA usara el respondedor PAC si las entradas Kerberos de los " +"usuario de reinos confiables contienen un PAC. Para hacer la configuración " +"más fácil el respondedor PAC es iniciado automáticamente si la ID del " +"proveedor IPA está configurada." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" +"Especifica el nombre del dominio IPA. Esto es opcional. Si no se suministra, " +"se usa el nombre de configuración del dominio." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" +"La lista separada por comas de direcciones IP o nombres de host de los " +"servidores IPA a los que SSSD se conectaría en orden de preferencia. Para " +"más información sobre conmutación en error y redundancia de servidores, vea " +"la sección <quote>FAILOVER</quote>. Esto es opcional si autodiscovery está " +"habilitado. Para más información sobre el servicio descubridor, vea la " +"sección <quote>SERVICE DISCOVERY</quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -"No todas las implementaciones Kerberos soportan el uso de plugins. Si " -"<command>sssd_krb5_locator_plugin</command> no está disponible en su sistema " -"usted tiene que editar /etc/krb5.conf para reflejar sus ajustes Kerberos." +"Opcional. Se puede establecer sobre máquinas donde el hostname(5) no refleje " +"el nombre totalmente cualificado usado en el dominio IPA para identificar " +"este host. El nombre de host debe ser totalmente cualificado." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -"Si la variable de entorno SSSD_KRB5_LOCATOR_DEBUR está fijada a cualquier " -"valor los mensajes de depuración se enviarán a stderr." +"Opcional. Esta opción le dice a SSSD que actualice automáticamente el " +"servidor DNS incorporado a FreeIPA con la dirección IP de este cliente. La " +"actualización está asegurada utilizando GSS-TSIG. La dirección IP de la " +"conexión IPA LDAP se usa para las actualizaciones, si no se especifica de " +"otra manera utilizando la opción <quote>dyndns_iface</quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" +"NOTA: Sobre sistemas más antiguos (como RHEL 5), para que este " +"comportamiento trabaje fiablemente, el reino por defecto Kerberos debe ser " +"fijado apropiadamente en /etc/krb5.conf" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" +"AVISO: Aunque todas es posible usar la vieja opción " +"<emphasis>ipa_dyndns_update</emphasis>, los usuarios deberían migrar para " +"usar <emphasis>dyndns_update</emphasis> en su fichero de configuración." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" -msgstr "" -"el fichero de configuración para en proveedor de control de acceso 'simple' " -"de SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (entero)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -"Esta página de manual describe la configuración del proveedor de control de " -"acceso simple para <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Para una referencia detallada de " -"sintaxis, vea la sección <quote>FILE FORMAT</quote> de la página de manual " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"El TTL a aplicar al registro del cliente DNS cuando lo actualiza. Si " +"dyndns_update está a false esto no tiene efecto. Esto anula el TTL del lado " +"servidor si se establece por un administrador." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -"El proveedor de acceso simple otorga o deniega el acceso en base a una lista " -"de acceso o denegación de usuarios o grupo de nombres. Se aplican las " -"siguientes reglas:" +"AVISO: Aunque todavía es posible usar la antigua opción " +"<emphasis>ipa_dyndns_ttl</emphasis>, los usuarios deberían migrar usando " +"<emphasis>dyndns_ttl</emphasis> en su fichero de configuración." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Si todas las listas están vacías, se concede acceso" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Por defecto: 1200 (segundos)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -"Si se ha suministrado alguna lista, el orden de evaluación es permitir," -"denegar. Esto significa que cualquier regla de denegación será saltada por " -"cualquier regla de permiso coincidente." +"Opcional. Aplicable solo cuando dyndns_update está a true. Elija la interfaz " +"o la lista de interfaces cuyas direcciones IP serían usadas para las " +"actualizaciones DNS dinámicas. El valor especial <quote>*</quote> implica " +"que las IPs de todas las interfaces serían las usadas." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -"Si una o ambas listas de \"permiso\" se suministran, todos los usuarios " -"serán denegados a no ser que aparezcan en la lista." +"AVISO: Aunque todavía es posible usar la vieja opción " +"<emphasis>ipa_dyndns_iface</emphasis>, los usuarios deberían migrar usando " +"<emphasis>dyndns_iface</emphasis> en su fichero de configuración." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -"Si sólo se suministran listas de \"denegación\", todos los usuarios " -"obtendran acceso a no ser que aparezcan en la lista." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." -msgstr "Lista separada por comas de usuarios a los está permitido el acceso." +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (cadena)" +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -"Lista separada por comas de usuarios a los que explicítamente se les deniega " -"el acceso." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (cadena)" +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -"Lista separada por comas de grupos que tienen permitido el acceso. Esto se " -"aplica sólo a los grupos dentro del dominio SSSD. Los grupos locales no " -"serán evaluados." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (cadena)" +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#: sssd-ipa.5.xml:247 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -"Lista separada por comas de grupos a los que explicítamente se les deniega " -"el acceso. Esto se aplica sólo a los grupos dentro del dominio SSSD. Los " -"grupos locales no serán evaluados." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -"Vea la sección <quote>DOMAIN SECTIONS</quote> de la página de manual " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> para detalles sobre la configuración de un " -"dominio SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -"No especificando valores para ninguna de las listas es equivalente a " -"saltarle totalmente. Tenga cuidado de esto mientras genera parámetros para " -"el simple proveedor usando secuencias de comandos automatizadas." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -"Por favor advierta que es un error de configuración si tanto, " -"simple_allow_users como simple_deny_user, están definidos." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -"El siguiente ejemplo asume que SSSD está correctamente configurado y example." -"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " -"Este ejemplo muestra sólo las opciones específicas del proveedor de acceso " -"simple." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 -msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 -msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Predeterminado: Utilizar DN base" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" +"Opcional. Usa la cadena dada como base de búsqueda para los objetos HBAC " +"relacionados." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 -msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (cadena)Opcional. " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 -msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" +"Opcional. Usa la cadena dada como base de búsqueda para los mapas de usuario " +"SELinux." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" +"Opcional: Usa la cadena dada como base de búsqueda de dominios de confianza." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Por defecto: el valor de <emphasis>cn=trusts,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" +"Opcional: Usa la cadena dada como base de búsqueda para el objeto maestro de " +"dominio." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Por defecto: el valor de <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" +"El nombre del reino Kerberos. Esto es opcional y por defecto está al valor " +"de <quote>ipa_domain</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" +"El nombre del reino Kerberos tiene un significado especial en IPA – es " +"convertido hacia la base DN para usarlo para llevar a cabo operaciones LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "Predeterminado: 5 (segundos)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" +"La cantidad de tiempo entre vbúsquedas de las reglas HBAC contra el servidor " +"IPA. Esto reducirá la latencia y la carga sobre el servidor IPA si hay " +"muchas peticiones de control de acceso hechas en un corto período." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" +"La cantidad de tiempo entre búsquedas de los mapas SELinux contra el " +"servidor IPA. Esto reducirá la latencia y la carga sobre el servidor IPA si " +"hay muchas peticiones de acceso de usuario hechas en un corto período." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" +msgstr "La localización del automontador de este cliente IPA que será usada" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" +msgstr "Por defecto: La localización llamada “default”" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Predeterminado: cn" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:643 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#: sssd-ipa.5.xml:656 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#: sssd-ipa.5.xml:696 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" +msgstr "PROVEEDOR DE SUBDOMINIOS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" +"El proveedor de subdominios IPA se comporta de forma ligeramente diferente " +"si está configurado explícitamente o implícitamente." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" +"Si la opción ' subdomains_provider = ipa' se encuentra en la sección de " +"dominio de sssd.conf, el proveedor de subdominios de IPA se configura " +"explícitamente, y todas las peticiones de subdominio se envían al servidor " +"de IPA si es necesario." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#: sssd-ipa.5.xml:775 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 -msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 -msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 -msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 -msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 -msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 -msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" +"El siguiente ejemplo asume que SSSD está correctamente configurado y example." +"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " +"Este ejemplo muestra sólo las opciones específicas del proveedor ipa." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Esta página de manual describe la configuración del proveedor AD para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Para una referencia detallada de sintaxis, vea la sección " +"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" +"El proveedor AD soporta la conexión a Active Directory 2008 R2 o " +"posteriores. Las versiones anteriores pueden trabajar, pero no está " +"soportadas." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"ldap_id_mapping = False\n" +" " msgstr "" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" +"Especifica el nombre del dominio Active Directory. Esto es opcional. Si no " +"se suministra, se usa la configuración del nombre de dominio." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" +"Para una operativa apropiada, esta opción sería especificada en la versión " +"minúscula de la versión larga del dominio Active Directory." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" +"Opcional. Puede ser fijada en máquinas donde el hostname(5) no refleja el " +"nombre totalmente cualificado usaro en el dominio Active Directory para " +"identificar este host." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" +"Este campo se usa para determinar el host principal en uso en la keytab. " +"Debe coincidir con el nombre del host desde que se envío la keytab." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -"Este página de manual describe la configuración del proveedor IPA para " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Para una referencia de sintaxis detalladas, vea la sección " -"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -"El proveedor IPA es un back end usado para conectar a un servidor IPA. (Vea " -"el sitio web freeipa.org para información sobre los servidores IPA). Este " -"proveedor requiere que la máquina este unido al dominio IPA; la " -"configuración es casi enteramente auto descubierta y obtenida directamente " -"del servidor." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -"El porveedor IPA usara el respondedor PAC si las entradas Kerberos de los " -"usuario de reinos confiables contienen un PAC. Para hacer la configuración " -"más fácil el respondedor PAC es iniciado automáticamente si la ID del " -"proveedor IPA está configurada." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (cadena)" +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:311 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -"Especifica el nombre del dominio IPA. Esto es opcional. Si no se suministra, " -"se usa el nombre de configuración del dominio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (cadena)" +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:325 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -"La lista separada por comas de direcciones IP o nombres de host de los " -"servidores IPA a los que SSSD se conectaría en orden de preferencia. Para " -"más información sobre conmutación en error y redundancia de servidores, vea " -"la sección <quote>FAILOVER</quote>. Esto es opcional si autodiscovery está " -"habilitado. Para más información sobre el servicio descubridor, vea la " -"sección <quote>SERVICE DISCOVERY</quote>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (cadena)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:333 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:350 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#: sssd-ad.5.xml:359 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -"NOTA: Sobre sistemas más antiguos (como RHEL 5), para que este " -"comportamiento trabaje fiablemente, el reino por defecto Kerberos debe ser " -"fijado apropiadamente en /etc/krb5.conf" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:367 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:376 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "Por defecto: 1200 (segundos)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:401 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:410 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:417 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:475 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:495 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 -msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#: sssd-ad.5.xml:515 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:531 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#: sssd-ad.5.xml:549 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:554 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 -msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 -msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 -msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:638 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Predeterminado: Utilizar DN base" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -"Opcional. Usa la cadena dada como base de búsqueda para los objetos HBAC " -"relacionados." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (cadena)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:663 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (cadena)Opcional. " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -"Opcional. Usa la cadena dada como base de búsqueda para los mapas de usuario " -"SELinux." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (cadena)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:697 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"Opcional: Usa la cadena dada como base de búsqueda de dominios de confianza." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" -msgstr "Por defecto: el valor de <emphasis>cn=trusts,%basedn</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (cadena)" +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" -"Opcional: Usa la cadena dada como base de búsqueda para el objeto maestro de " -"dominio." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "Por defecto: el valor de <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:755 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -"El nombre del reino Kerberos. Esto es opcional y por defecto está al valor " -"de <quote>ipa_domain</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:773 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -"El nombre del reino Kerberos tiene un significado especial en IPA – es " -"convertido hacia la base DN para usarlo para llevar a cabo operaciones LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:778 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#: sssd-ad.5.xml:790 msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:808 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "Predeterminado: 5 (segundos)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (entero)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:852 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -"La cantidad de tiempo entre vbúsquedas de las reglas HBAC contra el servidor " -"IPA. Esto reducirá la latencia y la carga sobre el servidor IPA si hay " -"muchas peticiones de control de acceso hechas en un corto período." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (entero)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:857 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"La cantidad de tiempo entre búsquedas de los mapas SELinux contra el " -"servidor IPA. Esto reducirá la latencia y la carga sobre el servidor IPA si " -"hay muchas peticiones de acceso de usuario hechas en un corto período." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 -msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 -msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#: sssd-ad.5.xml:901 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (cadena)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" -msgstr "La localización del automontador de este cliente IPA que será usada" +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" -msgstr "Por defecto: La localización llamada “default”" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:989 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1004 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Predeterminado: True" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" +"El siguiente ejemplo asume que SSSD está correctamente configurado y example." +"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " +"Este ejemplo muestra sólo las opciones específicas del proveedor AD." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"El proveedor de control de acceso AD comprueba si la cuenta está expirada. " +"Tiene el mismo efecto que la siguiente configuración del proveedor LDAP: " +"<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Configuración de sudo con el motor de SSSD" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" +"Esta página de manual describe como configurar <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"para trabajar con <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> y como SSSD esconde reglas sudo." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "PROVEEDOR DE SUBDOMINIOS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 -msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." -msgstr "" -"El proveedor de subdominios IPA se comporta de forma ligeramente diferente " -"si está configurado explícitamente o implícitamente." +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Configurando sudo para cooperar con SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#: sssd-sudo.5.xml:38 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -"Si la opción ' subdomains_provider = ipa' se encuentra en la sección de " -"dominio de sssd.conf, el proveedor de subdominios de IPA se configura " -"explícitamente, y todas las peticiones de subdominio se envían al servidor " -"de IPA si es necesario." +"Para habilitar SSSD como una fuente de reglas sudo, añada <emphasis>sss</" +"emphasis> a la entrada <emphasis>sudoers</emphasis> en <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd-sudo.5.xml:47 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" +"Por ejemplo, para configurar sudo para primero buscar reglas en el fichero " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> estándar (que contendría reglas para aplicar al " +"usuario local) y después en SSSD, el fichero nsswitch.conf contiene la " +"siguiente línea:" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 +#: sssd-sudo.5.xml:57 #, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" +"Más información sobre la configuración del orden de búsqueda de sudoers " +"desde el fichero nsswuitch.conf así información sobre el esquema LDAP que se " +"usa para almacenar reglas sudo en el directorio se puede encontrar en " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sssd-sudo.5.xml:70 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Configurando SSSD para ir a buscar reglas sudo" + #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sssd-sudo.5.xml:84 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sssd-sudo.5.xml:94 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" +"El siguiente ejemplo muestra como configurar SSSD para descargar reglas sudo " +"desde un servidor LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "El mecanismo de almacenamiento en cache de regla SUDO" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" +"El mayor desafío, cuando se desarrolla soporte sudo en SSSD, fue asegurar " +"que ejecutando sudo con SSSD como la fuente de datos suministre la misma " +"experiencia de usuario y sea tan rápido como sudo pero se mantenga " +"proporcionando el conjunto más actual de reglas como sea posible. Para " +"satisfacer estos requisitos, SSSD usa tres clases de actualizaciones. A " +"ellas nos referimos como refresco total, refresco inteligente y refresco de " +"reglas." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" +"El <emphasis>refresco inteligente</emphasis> periódicamente descarga reglas " +"que son nuevas o fueron modificadas desde la última actualización. Su " +"objetivo principal es mantener la base de datos creciendo mediante la " +"atracción de pequeños incrementos que no generen grandes cantidades de " +"tráfico de red." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" +"<emphasis>full refresh</emphasis> simplemente refresca todas las reglas sudo " +"almacenadas en el cache y las reemplaza con las reglas que están almacenadas " +"en el servidor. Esto se usa para mantener el cache consistente borrando cada " +"regla que fue borrada del servidor. Sin embargo, un refresco total puede " +"producir gran cantidad de tráfico y por lo tanto debería ser ejecutado sólo " +"ocasionalmente dependiendo del tamaño y de la estabilidad de las reglas sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" +"El <emphasis>refresco de reglas</emphasis> asegura que no concedamos más " +"permisos al usuario que los definidos. Se dispara cada vez que el usuario " +"ejecuta sudo. El refresco de reglas encontrará todas las reglas que se " +"apliquen a ese usuario, comprobará su tiempo de expiración y las recargará " +"si han expirado. En el caso de que alguna de esas reglas estén desaparecidas " +"del servidor, SSSD hará un refresco total fuera de banda puesto que más " +"reglas (que apliquen a otros usuarios) pueden haber sido borradas." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sssd-sudo.5.xml:161 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -"El siguiente ejemplo asume que SSSD está correctamente configurado y example." -"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " -"Este ejemplo muestra sólo las opciones específicas del proveedor ipa." +"Si está habilitado, SSSD almacenará sólo las reglas que pueden ser aplicadas " +"a esa máquina. Esto indica reglas que contienen uno de los siguientes " +"valores en el atributo <emphasis>sudoHost</emphasis>:" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "keyword ALL" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "comodines" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "netgroup (en la forma \"+netgroup\")" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 -msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -"Esta página de manual describe la configuración del proveedor AD para " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Para una referencia detallada de sintaxis, vea la sección " -"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"nombre de host o nombre de dominio totalmente cualificado de esta máquina" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 -msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "una de las direcciones IP de esta máquina" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 -msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" -"El proveedor AD soporta la conexión a Active Directory 2008 R2 o " -"posteriores. Las versiones anteriores pueden trabajar, pero no está " -"soportadas." +"una de las direcciones IP de la red (en la forma \"dirección/máscara\")" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sssd-sudo.5.xml:199 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" +"Hay muchas opciones de configuración que pueden ser usadas para ajustar el " +"comportamiento. Por favor vea \"ldap_sudo_*\" en <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> y \"sudo_*\" en <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#: sssd.8.xml:31 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" +"<command>SSSD</command> suministra un conjunto de demonios para gestionar el " +"acceso a directorios remotos y mecanismos de autenticación. Suministra una " +"interfaz NSS y PAM hacia el sistema y un sistema de parte trasera conectable " +"para conectar múltiples fuentes de cuentas diferentes así como interfaz D-" +"Bus. Es también la base para suministrar servicios de auditoría y política a " +"los clientes para proyectos como FreeIPA. Suministra una base de datos más " +"robusta para almacenar los usuarios locales así como datos de usuario " +"extendidos." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"ldap_id_mapping = False\n" -" " +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -"ldap_id_mapping = False\n" -" " +"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVEL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" +"<emphasis>1</emphasis>: Agregar marca de tiempo a mensajes de depuración " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -"Especifica el nombre del dominio Active Directory. Esto es opcional. Si no " -"se suministra, se usa la configuración del nombre de dominio." +"<emphasis>0</emphasis>: Desactiva marca de tiempo en mensajes de depuración" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 -msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." -msgstr "" -"Para una operativa apropiada, esta opción sería especificada en la versión " -"minúscula de la versión larga del dominio Active Directory." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" +"<emphasis>1</emphasis>: Agregar microsegundos a la marca de tiempo en " +"mensajes de depuración" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "<emphasis>0</emphasis>: Desactiva microsegundos en marcas de tiempo" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" +"Envía la salida de depuración a ficheros en lugar de a stderr. Por defecto, " +"los ficheros de registro se almacenan en <filename>/var/log/sssd</filename> " +"y hay ficheros de registro separados para cada servicio y dominio SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 -msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." -msgstr "" -"Opcional. Puede ser fijada en máquinas donde el hostname(5) no refleja el " -"nombre totalmente cualificado usaro en el dominio Active Directory para " -"identificar este host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Convertido en un demonio después de la puesta en marcha." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 -msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." -msgstr "" -"Este campo se usa para determinar el host principal en uso en la keytab. " -"Debe coincidir con el nombre del host desde que se envío la keytab." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Ejecutar en primer plano, no convertirse en un demonio." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Especifica un fichero de configuración distinto al de por defecto. El por " +"defecto es <filename>/etc/sssd/sssd.conf</filename>. Para referencia sobre " +"las opciones y sintaxis del fichero de configuración, consulta la página de " +"manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 -msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 -msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "Imprimir número de versión y salir." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Señales" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" +"Informa a SSSD para terminar graciosamente todos sus procesos hijos y " +"después para el monitor." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" +"Le dice a SSSD que pare de escribir en su fichero descriptor de depuración " +"actual y cerrar y reabrirlo. Esto significa facilitar la circulación de " +"registro con programas como logrotate." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +#| "client applications will not use the fast in-memory cache." msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" +"AVISO: Si la variable de entorno SSS_NSS_USE_MEMCACHE estça fijada a \"NO\", " +"las aplicaciones clientes no usaran la memoria cache rápida." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "oscurecer un password en texto claro" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[CONTRASEÑA]</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" +"<command>sss_obfuscate</command> convierte una contraseña dada en un formato " +"no legible y la sitúa en la sección apropiada del dominio del fichero de " +"configuración SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" +"La contraseña en texto claro es leída desde la entrada estándar e " +"introducida interactivamente. La contraseña ofuscada se pone en el parámetro " +"<quote>ldap_default_authtok</quote> de un dominio SSSD dado y el parámetro " +"<quote>ldap_default_authtok_type</quote> se fija a " +"<quote>obfuscated_password</quote>. Vea <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para más " +"detalles sobre estos parámetros." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" +"Por favor advierta que oscurecer la contraseña <emphasis>no suministra un " +"beneficio real de seguridad</emphasis> y es posible para un atacante " +"mediante ingeniería inversa volver atrás la contraseña. Se recomienda " +"<emphasis>firmemente</emphasis> el uso de mejores mecanismos de " +"autenticación como certificados en el lado cliente o GSSAPI." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 -msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "La contraseña a oscurecer será leída desde la entrada estándar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMINIO</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" +"El dominio SSSD en el que usar la contraseña. El nombre por defecto es " +"<quote>default</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>ARCHIVO</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" +"Lee el fichero de configuración especificado por el parámetro posicional." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Predeterminado: <filename>/etc/sssd/sssd.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 -msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 -msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "Crea un nuevo usuario" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" +"<command>sss_useradd</command> crea una nueva cuenta de usuario usando los " +"valores especificados en la línea de comandos más los valores por defecto " +"del sistema." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"Fija la UID del usuario al valor de <replaceable>UID</replaceable>. Si no se " +"da, se elige automáticamente." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMENTARIO</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" +"Cualquier cadena de texto describiendo al usuario. Frecuentemente se usa " +"como el campo para el nombre completo del usuario." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" +"El directorio home de la cuenta de usuario. Por defecto se añade el nombre " +"<replaceable>LOGIN</replaceable> a <filename>/home</filename> y utiliza esto " +"como directorio home. La base de que se antepondrá antes <replaceable>LOGIN</" +"replaceable> es sintonizable con el ajuste <quote>user_defaults/" +"baseDirectory</quote> en sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" +"La shell de acceso del usuario. Por defecto es actualmente <filename>/bin/" +"bash</filename>. El valor por defecto puede ser cambiado con el ajuste " +"<quote>user_defaults/defaultShell</quote> en sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPOS</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" +"Una lista de grupos existentes de los que el usuario también es miembro." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" +"Crea el directorio home del usuario si no existe. Los ficheros y directorios " +"contenidos en el directorio esqueleto (que pueden ser definidos con la " +"opción –k o en el fichero de configuración) serán copiados en el directorio " +"home." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." msgstr "" +"No se crear el directorio principal del usuario. Reemplaza los valores de " +"configuración." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" +"El directorio esqueleto, que contiene ficheros y directorios a copiar en el " +"directorio home del usuario, cuando el directorio home es creado por " +"<command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" +"Esta opción sólo es válida si se ha especificado la opción <option>-m</" +"option> (o <option>--create-home</option>), o la creación de directorios " +"home está fijada a TRUE en la configuración." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" +"El usuario SELinux para el acceso de usuario. Si no se especifica, se usará " +"el valor por defecto del sistema." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Esta página de manual describe la configuración del motor de autenticación " +"de Kerberos 5 para <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Para una referencia detallada de " +"la sintaxis, por favor vea la sección <quote>FORMATO DE ARCHIVO</quote> de " +"la página de manual de <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" +"El motor de autenticaciónd e Kerberos 5 contiene proveedores auth y chpass. " +"Debe ir junto con un proveedor de identidad para que funcione adecuadamente " +"(por ejemplo, id_provider = ldap). Algo de información requerida por el " +"motor de autenticación de Kerberos 5 debe ser provista por el proveedor de " +"identidad, tal como el Nombre Principal del usuario de Kerberos (NPU). La " +"configuración del proveedor de identidad debe tener una entrada específica " +"para el NPU. Por favor, vea la página del manual para el proveedor de " +"identidad aplicable, para más detalles sobre cómo configurar esto." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" +"Este motor también provee control de acceso basado en el archivo .k5login en " +"el directorio de inicio del usuario. Vea <citerefentry> <refentrytitle>." +"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> para más " +"detalles. Por favor, observe que un archivo .k5login vacío negará todo el " +"acceso a este usaurio. Para activar esta característica, use " +"'access_provider = krb5' en su configuración de SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" +"En el caso de que el NPU no esté disponible en el motor de identidad, " +"<command>sssd</command> construirá un NPU usando el formato " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#: sssd-krb5.5.xml:77 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" +"Especifica una lista separada por comas de direcciones IP o nombres de host " +"de los servidores Kerberos a los cuales se conectaría SSSD en orden de " +"preferencia. Para más información sobre failover y redundancia de servidor, " +"vea la sección <quote>FAILOVER</quote>. Un número de puerto opcional " +"(precedido de dos puntos) puede ser añadido a las direcciones o nombres de " +"host. Si está vacío, el servicio descubridor está habilitado; para más " +"información, vea la sección <quote>SERVICE DISCOVERY</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:106 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" +"El nombre del reino Kerberos. Esta opción se requiere y debe ser " +"especificada." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Predeterminado: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -"El siguiente ejemplo asume que SSSD está correctamente configurado y example." -"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " -"Este ejemplo muestra sólo las opciones específicas del proveedor AD." +"Si el servicio de cambio de contraseña no está corriendo en el KDC, se " +"pueden definir aquí servidores alternativos. Un número de puerto opcional " +"(precedido de dos puntos) debe ser añadido a las direcciones o nombres de " +"host." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"Para más información sobre recuperación de fallos y redundancia de servidor, " +"consulte la sección de <quote>conmutación por error</quote>. Nota: incluso " +"si no hay más servidores kpasswd para intentar, y el punto final no está " +"conmutado para trabajar fuera de línea la autenticación contra el KDC es " +"todavía posible." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" -msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Predeterminado: Use the KDC" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 -msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" -"El proveedor de control de acceso AD comprueba si la cuenta está expirada. " -"Tiene el mismo efecto que la siguiente configuración del proveedor LDAP: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 -msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" -msgstr "Configuración de sudo con el motor de SSSD" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." -msgstr "" -"Esta página de manual describe como configurar <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"para trabajar con <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> y como SSSD esconde reglas sudo." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "Configurando sudo para cooperar con SSSD" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." -msgstr "" -"Para habilitar SSSD como una fuente de reglas sudo, añada <emphasis>sss</" -"emphasis> a la entrada <emphasis>sudoers</emphasis> en <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 -msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" -msgstr "" -"Por ejemplo, para configurar sudo para primero buscar reglas en el fichero " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> estándar (que contendría reglas para aplicar al " -"usuario local) y después en SSSD, el fichero nsswitch.conf contiene la " -"siguiente línea:" - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 -msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." -msgstr "" -"Más información sobre la configuración del orden de búsqueda de sudoers " -"desde el fichero nsswuitch.conf así información sobre el esquema LDAP que se " -"usa para almacenar reglas sudo en el directorio se puede encontrar en " -"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 -msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "Configurando SSSD para ir a buscar reglas sudo" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 -msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." -msgstr "" -"El siguiente ejemplo muestra como configurar SSSD para descargar reglas sudo " -"desde un servidor LDAP." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Predeterminado: /tmp" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap -msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (string)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 -msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "nombre de acceso" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "El mecanismo de almacenamiento en cache de regla SUDO" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 -msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." -msgstr "" -"El mayor desafío, cuando se desarrolla soporte sudo en SSSD, fue asegurar " -"que ejecutando sudo con SSSD como la fuente de datos suministre la misma " -"experiencia de usuario y sea tan rápido como sudo pero se mantenga " -"proporcionando el conjunto más actual de reglas como sea posible. Para " -"satisfacer estos requisitos, SSSD usa tres clases de actualizaciones. A " -"ellas nos referimos como refresco total, refresco inteligente y refresco de " -"reglas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "UID de acceso" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." -msgstr "" -"El <emphasis>refresco inteligente</emphasis> periódicamente descarga reglas " -"que son nuevas o fueron modificadas desde la última actualización. Su " -"objetivo principal es mantener la base de datos creciendo mediante la " -"atracción de pequeños incrementos que no generen grandes cantidades de " -"tráfico de red." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." -msgstr "" -"<emphasis>full refresh</emphasis> simplemente refresca todas las reglas sudo " -"almacenadas en el cache y las reemplaza con las reglas que están almacenadas " -"en el servidor. Esto se usa para mantener el cache consistente borrando cada " -"regla que fue borrada del servidor. Sin embargo, un refresco total puede " -"producir gran cantidad de tráfico y por lo tanto debería ser ejecutado sólo " -"ocasionalmente dependiendo del tamaño y de la estabilidad de las reglas sudo." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "nombre principal" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 -msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." -msgstr "" -"El <emphasis>refresco de reglas</emphasis> asegura que no concedamos más " -"permisos al usuario que los definidos. Se dispara cada vez que el usuario " -"ejecuta sudo. El refresco de reglas encontrará todas las reglas que se " -"apliquen a ese usuario, comprobará su tiempo de expiración y las recargará " -"si han expirado. En el caso de que alguna de esas reglas estén desaparecidas " -"del servidor, SSSD hará un refresco total fuera de banda puesto que más " -"reglas (que apliquen a otros usuarios) pueden haber sido borradas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 -msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" -msgstr "" -"Si está habilitado, SSSD almacenará sólo las reglas que pueden ser aplicadas " -"a esa máquina. Esto indica reglas que contienen uno de los siguientes " -"valores en el atributo <emphasis>sudoHost</emphasis>:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nombre de reino" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "comodines" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "directorio home" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" -msgstr "netgroup (en la forma \"+netgroup\")" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -"nombre de host o nombre de dominio totalmente cualificado de esta máquina" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" -msgstr "una de las direcciones IP de esta máquina" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" -msgstr "" -"una de las direcciones IP de la red (en la forma \"dirección/máscara\")" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 -msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -"Hay muchas opciones de configuración que pueden ser usadas para ajustar el " -"comportamiento. Por favor vea \"ldap_sudo_*\" en <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> y \"sudo_*\" en <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "System Security Services Daemon" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "un literal ‘%’" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -"<command>SSSD</command> suministra un conjunto de demonios para gestionar el " -"acceso a directorios remotos y mecanismos de autenticación. Suministra una " -"interfaz NSS y PAM hacia el sistema y un sistema de parte trasera conectable " -"para conectar múltiples fuentes de cuentas diferentes así como interfaz D-" -"Bus. Es también la base para suministrar servicios de auditoría y política a " -"los clientes para proyectos como FreeIPA. Suministra una base de datos más " -"robusta para almacenar los usuarios locales así como datos de usuario " -"extendidos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVEL</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -"<emphasis>1</emphasis>: Agregar marca de tiempo a mensajes de depuración " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" -"<emphasis>0</emphasis>: Desactiva marca de tiempo en mensajes de depuración" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (entero)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -"<emphasis>1</emphasis>: Agregar microsegundos a la marca de tiempo en " -"mensajes de depuración" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" -msgstr "<emphasis>0</emphasis>: Desactiva microsegundos en marcas de tiempo" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." -msgstr "" -"Envía la salida de depuración a ficheros en lugar de a stderr. Por defecto, " -"los ficheros de registro se almacenan en <filename>/var/log/sssd</filename> " -"y hay ficheros de registro separados para cada servicio y dominio SSSD." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (boolean)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" +"La localización de la keytab a usar cuando son obtenidas credenciales " +"validadas desde KDCs." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 -msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Predeterminado: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "Convertido en un demonio después de la puesta en marcha." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "Ejecutar en primer plano, no convertirse en un demonio." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" -"Especifica un fichero de configuración distinto al de por defecto. El por " -"defecto es <filename>/etc/sssd/sssd.conf</filename>. Para referencia sobre " -"las opciones y sintaxis del fichero de configuración, consulta la página de " -"manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 -msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "Imprimir número de versión y salir." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Señales" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Por defecto: no fijado, esto es el TGT no es renovable" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -"Informa a SSSD para terminar graciosamente todos sus procesos hijos y " -"después para el monitor." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -"Le dice a SSSD que pare de escribir en su fichero descriptor de depuración " -"actual y cerrar y reabrirlo. Esto significa facilitar la circulación de " -"registro con programas como logrotate." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" +"Por defecto: no fijado, esto es el tiempo de vida de la entrada por defecto " +"configurado en el KDC." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "oscurecer un password en texto claro" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (cadena)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[CONTRASEÑA]</" -"replaceable></arg>" +"Habilita la autenticación segura flexible de los túneles (FSAT) para la pre-" +"autenticación Kerberos. Se soportan las siguientes opciones:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -"<command>sss_obfuscate</command> convierte una contraseña dada en un formato " -"no legible y la sitúa en la sección apropiada del dominio del fichero de " -"configuración SSSD." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -"La contraseña en texto claro es leída desde la entrada estándar e " -"introducida interactivamente. La contraseña ofuscada se pone en el parámetro " -"<quote>ldap_default_authtok</quote> de un dominio SSSD dado y el parámetro " -"<quote>ldap_default_authtok_type</quote> se fija a " -"<quote>obfuscated_password</quote>. Vea <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para más " -"detalles sobre estos parámetros." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -"Por favor advierta que oscurecer la contraseña <emphasis>no suministra un " -"beneficio real de seguridad</emphasis> y es posible para un atacante " -"mediante ingeniería inversa volver atrás la contraseña. Se recomienda " -"<emphasis>firmemente</emphasis> el uso de mejores mecanismos de " -"autenticación como certificados en el lado cliente o GSSAPI." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." -msgstr "La contraseña a oscurecer será leída desde la entrada estándar." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" -msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMINIO</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Por defecto: no fijado, esto es no se usa FAST." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -"El dominio SSSD en el que usar la contraseña. El nombre por defecto es " -"<quote>default</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>ARCHIVO</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -"Lee el fichero de configuración especificado por el parámetro posicional." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "Predeterminado: <filename>/etc/sssd/sssd.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (cadena)" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "Especifica el servidor principal para usar por FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " +#| "more information on the locator plugin." msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" +"Vea la página de manual <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> para más información sobre el complemento " +"localizador." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 -msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "Crea un nuevo grupo" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" +"<command>sss_groupadd</command> cre un nuevo grupo. Estos grupos son " +"compatibles con grupos POXIS, con la característica adicional que pueden " +"contener otros grupos como miembros." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_groupadd.8.xml:48 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"Fija el GID del grupo al valor de <replaceable>GID</replaceable>. Si no se " +"da, se elige automáticamente." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "eliminar una cuenta de usuario" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" +"<command>sss_userdel</command> borra del sistema un usuario identificado por " +"su nombre de acceso <replaceable>LOGIN</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_userdel.8.xml:48 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" +"Los ficheros en el directorio home del usuario serán borrados así como el " +"directorio home mismo y el buzón de correo del usuario. Reescribe la " +"configuración." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 -msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" -msgstr "" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#: sss_userdel.8.xml:60 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" +"Los ficheros en el directorio home del usuario NO serán borrados así como el " +"directorio home mismo y el buzón de correo del usuario. Reescribe la " +"configuración." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" +"Esta opción fuerza a <command>sss_userdel</command> a borrar el directorio " +"home del usuario y el buzón de correo, aunque no sea propiedad del usuario " +"especificado." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" -msgstr "" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" -msgstr "" +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "Antes de realmente eliminar al usuario, terminar todos sus procesos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "eliminar un grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" +"<command>sss_groupdel</command> borra del sistema un grupo identificado por " +"su nombre <replaceable>GROUP</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "imprime las propiedades de un grupo" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" +"<command>sss_groupshow</command> muestra información sobre un grupo " +"identificado por su nombre <replaceable>GROUP</replaceable>. La información " +"incluye el número de ID del grupo, miembros del grupo y padres del grupo." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" +"También imprime miembros indirectos del grupo en una jerarquía de árbol. " +"Advierta que esto también afecta a la impresión de los grupos padres – sin " +"<option>R</option>,, sólo se imprimirá los padres directos." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "Crea un nuevo usuario" +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "Modifica una cuenta de usuario" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" "arg>" msgstr "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" "arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 -msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." -msgstr "" -"<command>sss_useradd</command> crea una nueva cuenta de usuario usando los " -"valores especificados en la línea de comandos más los valores por defecto " -"del sistema." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +#: sss_usermod.8.xml:32 msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<command>sss_usermod</command> modifica la cuenta especificada por " +"<replaceable>LOGIN</replaceable> para reflejar los cambios que se han " +"especificado en la línea de comando." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 -msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." -msgstr "" -"Fija la UID del usuario al valor de <replaceable>UID</replaceable>. Si no se " -"da, se elige automáticamente." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 -msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" -msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMENTARIO</" -"replaceable>" +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "El directorio principal de la cuenta de usuario." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 -msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." -msgstr "" -"Cualquier cadena de texto describiendo al usuario. Frecuentemente se usa " -"como el campo para el nombre completo del usuario." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "Shell de inicio de sesión del usuario." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +"Añade este usuario a los grupos especificados por el parámetro " +"<replaceable>GROUPS</replaceable>. El parámetro <replaceable>GROUPS</" +"replaceable> es una lista separada por comas de nombres de grupo." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_usermod.8.xml:96 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -"El directorio home de la cuenta de usuario. Por defecto se añade el nombre " -"<replaceable>LOGIN</replaceable> a <filename>/home</filename> y utiliza esto " -"como directorio home. La base de que se antepondrá antes <replaceable>LOGIN</" -"replaceable> es sintonizable con el ajuste <quote>user_defaults/" -"baseDirectory</quote> en sssd.conf." +"Borrar este usuario de los grupos especificados por el parámetro " +"<replaceable>GROUPS</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." -msgstr "" -"La shell de acceso del usuario. Por defecto es actualmente <filename>/bin/" -"bash</filename>. El valor por defecto puede ser cambiado con el ajuste " -"<quote>user_defaults/defaultShell</quote> en sssd.conf." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Bloquea la cuenta de usuario. El usuario no será capaz de acceder." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" -msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>GRUPOS</" -"replaceable>" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "" -"Una lista de grupos existentes de los que el usuario también es miembro." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Desbloquea la cuenta de usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "El usuario SELinux para el acceso del usuario." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" -"Crea el directorio home del usuario si no existe. Los ficheros y directorios " -"contenidos en el directorio esqueleto (que pueden ser definidos con la " -"opción –k o en el fichero de configuración) serán copiados en el directorio " -"home." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sss_usermod.8.xml:152 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"No se crear el directorio principal del usuario. Reemplaza los valores de " -"configuración." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 -msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -"El directorio esqueleto, que contiene ficheros y directorios a copiar en el " -"directorio home del usuario, cuando el directorio home es creado por " -"<command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "lleva a cabo la limpieza del escondrijo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -"Esta opción sólo es válida si se ha especificado la opción <option>-m</" -"option> (o <option>--create-home</option>), o la creación de directorios " -"home está fijada a TRUE en la configuración." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" -"El usuario SELinux para el acceso de usuario. Si no se especifica, se usará " -"el valor por defecto del sistema." +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalida el usuario específico." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" -"Esta página de manual describe la configuración del motor de autenticación " -"de Kerberos 5 para <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Para una referencia detallada de " -"la sintaxis, por favor vea la sección <quote>FORMATO DE ARCHIVO</quote> de " -"la página de manual de <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Invalida todos los registros de usuario. Esta opción anula la invalidación " +"de usuario específico si también está fijada." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" -"El motor de autenticaciónd e Kerberos 5 contiene proveedores auth y chpass. " -"Debe ir junto con un proveedor de identidad para que funcione adecuadamente " -"(por ejemplo, id_provider = ldap). Algo de información requerida por el " -"motor de autenticación de Kerberos 5 debe ser provista por el proveedor de " -"identidad, tal como el Nombre Principal del usuario de Kerberos (NPU). La " -"configuración del proveedor de identidad debe tener una entrada específica " -"para el NPU. Por favor, vea la página del manual para el proveedor de " -"identidad aplicable, para más detalles sobre cómo configurar esto." +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Invalida grupo específico." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -"Este motor también provee control de acceso basado en el archivo .k5login en " -"el directorio de inicio del usuario. Vea <citerefentry> <refentrytitle>." -"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> para más " -"detalles. Por favor, observe que un archivo .k5login vacío negará todo el " -"acceso a este usaurio. Para activar esta característica, use " -"'access_provider = krb5' en su configuración de SSSD." +"Invalida todos los registros de grupo. Esta opción anula la invalidación de " +"grupo específico si también está fijada." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -"En el caso de que el NPU no esté disponible en el motor de identidad, " -"<command>sssd</command> construirá un NPU usando el formato " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Invalida grupo de red específico." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -"Especifica una lista separada por comas de direcciones IP o nombres de host " -"de los servidores Kerberos a los cuales se conectaría SSSD en orden de " -"preferencia. Para más información sobre failover y redundancia de servidor, " -"vea la sección <quote>FAILOVER</quote>. Un número de puerto opcional " -"(precedido de dos puntos) puede ser añadido a las direcciones o nombres de " -"host. Si está vacío, el servicio descubridor está habilitado; para más " -"información, vea la sección <quote>SERVICE DISCOVERY</quote>." +"Invalida todos los registros de grupo de red. Esta opción anula la " +"invalidación de grupo de red específico si también está fijada." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" -"El nombre del reino Kerberos. Esta opción se requiere y debe ser " -"especificada." +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Invalida servicio específico" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" -"Si el servicio de cambio de contraseña no está corriendo en el KDC, se " -"pueden definir aquí servidores alternativos. Un número de puerto opcional " -"(precedido de dos puntos) debe ser añadido a las direcciones o nombres de " -"host." +"Invalida todos los archivos de servicio. Esta opción anula la invalidación " +"de servicio específico si también fue fijada." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" -"Para más información sobre recuperación de fallos y redundancia de servidor, " -"consulte la sección de <quote>conmutación por error</quote>. Nota: incluso " -"si no hay más servidores kpasswd para intentar, y el punto final no está " -"conmutado para trabajar fuera de línea la autenticación contra el KDC es " -"todavía posible." +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Predeterminado: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalida mapas específicos autofs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" +"Invalida todos los mapas autofs. Esta opción anula la invalidación de mapa " +"específico si fue fijada." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Predeterminado: /tmp" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "nombre de acceso" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "UID de acceso" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "nombre principal" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "nombre de reino" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Restringe el proceso de invalidación sólo a un dominio concreto." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "directorio home" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "alimenta el cache SSSD con un usuario" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> alimenta el cache SSSD con una entrada de " +"usuario y una contresañe temporal. Si una entrada de usuario está ya " +"presente en el cache SSSD la entrada se actualiza con la contraseña temporal" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "un literal ‘%’" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" +"Suministra el nombre del dominio del que el usuario es miembro. El dominio " +"también se usa para recuperar información del usuario. El dominio debe estar " +"configurado en sssd.conf. La opción <replaceable>DOMAIN</replaceable> debe " +"ser suministrada. La información recuperada del dominio anula la que se ha " +"suministrado en las opciones." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" +"El nombre de usuario de la entrada a ser creado o modificado en el cache. Se " +"debe suministrar la opción <replaceable>USER</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Fija la UID del usuario a <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Fija la GID del usuario a <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" +"Fija el directorio home del usuario a <replaceable>HOME_DIR</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" +"Fija la shell de acceso del usuario a <replaceable>SHELL</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (entero)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Modo interactivo de introducir información del usuario. Esta opción sólo " +"preguntará por la información no suministrada en las opciones o recuperada " +"del dominio." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Especifica el fichero desde donde leer la contraseña del usuario (si no se " +"especifica se pregunta por la contraseña)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" +"La longitud de la contraseña (o el tamaño especificado con la opción -p or --" +"password-file) debe ser menos o igual a PASS_MAX bytes ( 64 bytes en " +"sistemas sin valor PASS_MAX globalmente definido)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (cadena)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"La localización de la keytab a usar cuando son obtenidas credenciales " -"validadas desde KDCs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Predeterminado: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 -msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" -msgstr "Por defecto: no fijado, esto es el TGT no es renovable" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 -msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 -msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 -msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" -"Por defecto: no fijado, esto es el tiempo de vida de la entrada por defecto " -"configurado en el KDC." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (cadena)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -"Habilita la autenticación segura flexible de los túneles (FSAT) para la pre-" -"autenticación Kerberos. Se soportan las siguientes opciones:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 -msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 -msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." -msgstr "Por defecto: no fijado, esto es no se usa FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (cadena)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." -msgstr "Especifica el servidor principal para usar por FAST." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 -msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 -msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " -#| "more information on the locator plugin." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -"Vea la página de manual <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry> para más información sobre el complemento " -"localizador." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 -msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VEA TAMBIEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "obtiene las claves OpenSSH autorizadas" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" +"<command>sss_ssh_authorizedkeys</command> adquiere la clave pública SSH para " +"el usuario <replaceable>USER</replaceable> y las saca en formato de claves " +"autorizadas OpenSSH (vea la sección <quote>AUTHORIZED_KEYS FILE FORMAT</" +"quote> de <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> para más información)." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sss_ssh_authorizedkeys.1.xml:41 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sss_ssh_authorizedkeys.1.xml:59 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "Crea un nuevo grupo" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -"<command>sss_groupadd</command> cre un nuevo grupo. Estos grupos son " -"compatibles con grupos POXIS, con la característica adicional que pueden " -"contener otros grupos como miembros." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 -msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -"Fija el GID del grupo al valor de <replaceable>GID</replaceable>. Si no se " -"da, se elige automáticamente." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "eliminar una cuenta de usuario" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -"<command>sss_userdel</command> borra del sistema un usuario identificado por " -"su nombre de acceso <replaceable>LOGIN</replaceable>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" -msgstr "<option>-r</option>,<option>--remove</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -"Los ficheros en el directorio home del usuario serán borrados así como el " -"directorio home mismo y el buzón de correo del usuario. Reescribe la " -"configuración." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" -msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"Los ficheros en el directorio home del usuario NO serán borrados así como el " -"directorio home mismo y el buzón de correo del usuario. Reescribe la " -"configuración." +"Busca las claves públicas del usuario en el dominio SSSD " +"<replaceable>DOMAIN</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" -msgstr "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -"Esta opción fuerza a <command>sss_userdel</command> a borrar el directorio " -"home del usuario y el buzón de correo, aunque no sea propiedad del usuario " -"especificado." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" -msgstr "<option>-k</option>,<option>--kick</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "Antes de realmente eliminar al usuario, terminar todos sus procesos." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "eliminar un grupo" +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "obtiene las claves OpenSSH del host" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" -"arg>" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -"<command>sss_groupdel</command> borra del sistema un grupo identificado por " -"su nombre <replaceable>GROUP</replaceable>." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" -msgstr "imprime las propiedades de un grupo" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"Si se especifica <replaceable>PROXY_COMMAND</replaceable>, se usa para crear " +"la conexión al host en lugar de abrir un socket." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" -"arg>" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<command>sss_groupshow</command> muestra información sobre un grupo " -"identificado por su nombre <replaceable>GROUP</replaceable>. La información " -"incluye el número de ID del grupo, miembros del grupo y padres del grupo." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> puede ser configurado para usar " +"<command>sss_ssh_knownhostsproxy</command> para autenticación de la clave " +"del host usando las siguientes directivas <citerefentry><refentrytitle>ssh</" +"refentrytitle> <manvolnum>1</manvolnum></citerefentry> configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/> " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -"También imprime miembros indirectos del grupo en una jerarquía de árbol. " -"Advierta que esto también afecta a la impresión de los grupos padres – sin " -"<option>R</option>,, sólo se imprimirá los padres directos." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "Modifica una cuenta de usuario" +"Usa el puerto <replaceable>PORT</replaceable> para conectar al host. Por " +"defecto, el puerto usado es el 22." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"Busca las claves públicas del host en el dominio SSSD <replaceable>DOMAIN</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 -msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -"<command>sss_usermod</command> modifica la cuenta especificada por " -"<replaceable>LOGIN</replaceable> para reflejar los cambios que se han " -"especificado en la línea de comando." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "El directorio principal de la cuenta de usuario." +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "Shell de inicio de sesión del usuario." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -"Añade este usuario a los grupos especificados por el parámetro " -"<replaceable>GROUPS</replaceable>. El parámetro <replaceable>GROUPS</" -"replaceable> es una lista separada por comas de nombres de grupo." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -"Borrar este usuario de los grupos especificados por el parámetro " -"<replaceable>GROUPS</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." -msgstr "Bloquea la cuenta de usuario. El usuario no será capaz de acceder." +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "Desbloquea la cuenta de usuario." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." -msgstr "El usuario SELinux para el acceso del usuario." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 +msgid "" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" -msgstr "sss_cache" +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" -msgstr "lleva a cabo la limpieza del escondrijo" +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-files.5.xml:36 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "Invalida el usuario específico." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 +msgid "" +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" -msgstr "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"Invalida todos los registros de usuario. Esta opción anula la invalidación " -"de usuario específico si también está fijada." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 -msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "Invalida grupo específico." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "<option>-G</option>,<option>--groups</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Invalida todos los registros de grupo. Esta opción anula la invalidación de " -"grupo específico si también está fijada." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." -msgstr "Invalida grupo de red específico." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" -msgstr "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -"Invalida todos los registros de grupo de red. Esta opción anula la " -"invalidación de grupo de red específico si también está fijada." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"passwd: sss files\n" +"group: sss files\n" msgstr "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "Invalida servicio específico" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" -msgstr "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Invalida todos los archivos de servicio. Esta opción anula la invalidación " -"de servicio específico si también fue fijada." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." -msgstr "Invalida mapas específicos autofs." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" -msgstr "<option>-A</option>,<option>--autofs-maps</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -"Invalida todos los mapas autofs. Esta opción anula la invalidación de mapa " -"específico si fue fijada." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." -msgstr "Restringe el proceso de invalidación sólo a un dominio concreto." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" -msgstr "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 -msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "sss_seed" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" -msgstr "alimenta el cache SSSD con un usuario" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" -"<command>sss_seed</command> alimenta el cache SSSD con una entrada de " -"usuario y una contresañe temporal. Si una entrada de usuario está ya " -"presente en el cache SSSD la entrada se actualiza con la contraseña temporal" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 -msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 -msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -"Suministra el nombre del dominio del que el usuario es miembro. El dominio " -"también se usa para recuperar información del usuario. El dominio debe estar " -"configurado en sssd.conf. La opción <replaceable>DOMAIN</replaceable> debe " -"ser suministrada. La información recuperada del dominio anula la que se ha " -"suministrado en las opciones." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#: sssd-secrets.5.xml:207 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -"El nombre de usuario de la entrada a ser creado o modificado en el cache. Se " -"debe suministrar la opción <replaceable>USER</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "Fija la UID del usuario a <replaceable>UID</replaceable>." +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "Fija la GID del usuario a <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#: sssd-secrets.5.xml:219 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" -"Fija el directorio home del usuario a <replaceable>HOME_DIR</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" -"Fija la shell de acceso del usuario a <replaceable>SHELL</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 -msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -"Modo interactivo de introducir información del usuario. Esta opción sólo " -"preguntará por la información no suministrada en las opciones o recuperada " -"del dominio." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -"Especifica el fichero desde donde leer la contraseña del usuario (si no se " -"especifica se pregunta por la contraseña)" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-secrets.5.xml:241 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"La longitud de la contraseña (o el tamaño especificado con la opción -p or --" -"password-file) debe ser menos o igual a PASS_MAX bytes ( 64 bytes en " -"sistemas sin valor PASS_MAX globalmente definido)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 -msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 -msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#: sssd-secrets.5.xml:278 msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#: sssd-secrets.5.xml:359 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-secrets.5.xml:372 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-secrets.5.xml:385 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-secrets.5.xml:424 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "VEA TAMBIEN" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "sss_ssh_authorizedkeys" - -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" -msgstr "1" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" -msgstr "obtiene las claves OpenSSH autorizadas" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" -"<command>sss_ssh_authorizedkeys</command> adquiere la clave pública SSH para " -"el usuario <replaceable>USER</replaceable> y las saca en formato de claves " -"autorizadas OpenSSH (vea la sección <quote>AUTHORIZED_KEYS FILE FORMAT</" -"quote> de <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> para más información)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Busca las claves públicas del usuario en el dominio SSSD " -"<replaceable>DOMAIN</replaceable>." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#: sssd-secrets.5.xml:606 msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "sss_ssh_knownhostsproxy" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "obtiene las claves OpenSSH del host" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 +#: sssd-session-recording.5.xml:41 msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -"Si se especifica <replaceable>PROXY_COMMAND</replaceable>, se usa para crear " -"la conexión al host en lugar de abrir un socket." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> puede ser configurado para usar " -"<command>sss_ssh_knownhostsproxy</command> para autenticación de la clave " -"del host usando las siguientes directivas <citerefentry><refentrytitle>ssh</" -"refentrytitle> <manvolnum>1</manvolnum></citerefentry> configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/> " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -"Usa el puerto <replaceable>PORT</replaceable> para conectar al host. Por " -"defecto, el puerto usado es el 22." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -"Busca las claves públicas del host en el dominio SSSD <replaceable>DOMAIN</" -"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 -msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#: sssd-kcm.8.xml:67 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-kcm.8.xml:76 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-kcm.8.xml:100 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 +#: sssd-kcm.8.xml:122 msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"systemctl restart sssd-kcm.service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 +#: sssd-kcm.8.xml:131 msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 +#: sssd-kcm.8.xml:155 msgid "" -"Another reason is to provide efficient caching of local users and groups." +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 +#: sssd-kcm.8.xml:164 msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of the AD provider for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " +#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page." msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Esta página de manual describe la configuración del proveedor AD para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Para una referencia detallada de sintaxis, vea la sección " +"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 +#: sssd-kcm.8.xml:183 msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "min_id,max_id (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "min_id, max_id (entero)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Predeterminado: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_page_size (entero)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 +msgid "" +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Predeterminado: 6" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 +#: sssd-systemtap.5.xml:23 msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#: sssd-systemtap.5.xml:32 msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"[domain/files]\n" -"id_provider = files\n" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 #, no-wrap msgid "" -"passwd: sss files\n" -"group: sss files\n" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 #, no-wrap msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 +msgid "" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, fuzzy, no-wrap +#| msgid "" +#| "auth sufficient pam_sss.so allow_missing_name\n" +#| " " msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +"attr:string\n" +"value:string\n" +" " msgstr "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 -msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:412 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" -msgstr "" +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (cadena)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +#, fuzzy +#| msgid "SSSD LDAP provider" +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "Proveedor SSSD LDAP" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" +"Esta página de manual describe la configuración de dominios LDAP para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Vea la sección <quote>FILE FORMAT</quote> de la página de " +"manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para información detallada de la sintáxis." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "La clase de objeto de una entrada de usuario en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Predeterminado: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" +"El atributo LDAP que corresponde al nombre de inicio de sesión del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Predeterminado: uid (rfc2307, rfc2307bis e IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "El atributo LDAP que corresponde al id de usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "Predeterminado: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "El atributo LDAP que corresponde al id del grupo primario del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "Predeterminado: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" +msgstr "ldap_user_primary_group (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" +"Atributo de grupo primario Active Directory para el mapeo de ID. Advierta " +"que este atributo debería solo ser establecido manualmente si usted está " +"ejecutando el proveedor <quote>ldap</quote> con mapeo ID." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "Predeterminado: no establecido (LDAP), primaryGroupID (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "El atributo LDAP que corresponde al campo de gecos del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "Predeterminado: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" +"El atributo LDAP que contiene el nombre del directorio principal del usuario." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" +"El atributo LDAP que contiene la ruta de acceso a la shell predeterminada " +"del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Predeterminado: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" +"El atributo LDAP que contiene el UUID/GUID de un objeto de usuario LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" +"Predeterminado: no establecido en caso general, objectGUID para AD e " +"ipaUniqueID para IPA" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"El atributo LDAP que contiene el objectSID de un objeto usuario LDAP. Esto " +"es normalmente sólo necesario para servidores ActiveDirectory." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" +"Predeterminado: objectSid para ActiveDirectory, no establecido para otros " +"servidores." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" +"El atributo LDAP que contiene la fecha y hora de la última modificación del " +"objeto primario." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Predeterminado: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (fecha del último cambio de password)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Predeterminado: shadowLastChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (edad mínima del password)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Predeterminado: shadowMin" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (edad máxima del password)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Predeterminado: shadowMax" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (período de aviso de password)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Predeterminado: shadowWarning" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (período de inactividad de password)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Predeterminado: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow o " +"ldap_account_expire_policy=shadow, este parámetro contiene el nombre de un " +"atributo correspondiente con su <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> homólogo (fecha de " +"expiración de la cuenta)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Predeterminado: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" +"Cuando se utiliza ldap_pwd_policy=mit_kerberos, este parámetro contiene el " +"nombre de un atributo LDAP que almacena la fecha y la hora del último cambio " +"de password en kerberos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Predeterminado: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" +"Cuando se utiliza ldap_pwd_policy=mit_kerberos, este parámetro contiene el " +"nombre de un atributo LDAP que almacena la fecha y la hora en la que expira " +"el password actual." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Predeterminado: krbPasswordExpiration" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" +"Cuando se utiliza ldap_account_expire_policy=ad, este parámetro contiene el " +"nombre de un atributo LDAP que almacena el tiempo de expiración de la cuenta." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "Predeterminado: accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" +"Cuando se usa ldap_account_expire_policy=ad, este parámetro contiene el " +"nombre de un atributo LDAP que almacena el campo bit de control de la cuenta " +"de usuario." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "Predeterminado: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" +"Cuando se usa ldap_account_expire_policy=rhds o esquivalente, este parámetro " +"determina si el acceso está permitido o no." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" +msgstr "Predeterminado: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" +"Cuando se usa ldap_account_expire_policy=nds, este atributo determina si el " +"acceso está permitido o no." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "Predeterminado: loginDisabled" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" +"Cuando se usa ldap_account_expire_policy=nds, este atributo determina hasta " +"que fecha se concede el acceso." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" +"Cuando se utiliza ldap_account_expire_policy=nds, este atributo determina la " +"hora de un día en la semana cuando se concede el acceso." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "Predeterminado: loginAllowedTimeMap" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" +"El atributo LDAP que contiene le Nombre Principal de Usuario Kerberos (UPN) " +"del usuario." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Predeterminado: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" +"Lista separada por comas de atributos LDAP que SSSD debería ir a buscar con " +"el conjunto usual de atributos de usuario." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" +"La lista puede contener bien nombres de atributo LDAP solamente o tuplas " +"separadas por comas de de nombre de atributo SSSD en caché y nombre de " +"atributo LDAP. En el caso de que solo sed especifique el nombre de atributo " +"LDAP, el atributo se salva al caché literal. El uso de un nombre de " +"atributo SSSD personal puede ser requerido por entornos que configuran " +"varios dominios SSSD con diferentes esquemas LDAP." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" +"Por favor advierta que varios nombres de atributos están reservados por " +"SSSD, notablemente el atributo <quote>name</quote>. SSSD informaría de un " +"error si cualquiera de los nombres de atributo reservados es usado como un " +"nombre de atributo extra." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" +"Guarda el atributo <quote>telephoneNumber</quote> desde LDAP como " +"<quote>telephoneNumber</quote> al caché." -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" +"Guarda el atributo <quote>telephoneNumber</quote> desde LDAP como " +"<quote>phone</quote> al caché." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (cadena)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "El atributo LDAP que contiene las claves públicas SSH del usuario." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" +msgstr "Predeterminado: sshPublicKey" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "El atributo LDAP que corresponde al nombre completo del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "El atributo LDAP que lista los afiliación a grupo de usario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "Predeterminado: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" +"Si access_provider=ldap y ldap_access_order=authorized_service, SSSD " +"utilizará la presencia del atributo authorizedService en la entrada LDAP del " +"usuario para determinar el privilegio de acceso." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" +"Una denegación explícita (¡svc) se resuelve primero. Segundo, SSSD busca " +"permiso explícito (svc) y finalmente permitir todo (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" +"Por favor advierta que la opcion de configuración ldap_access_order " +"<emphasis>debe</emphasis> incluir <quote>authorized_service</quote> con el " +"objetivo de que la opción ldap_user_authorized_service trabaje." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "Predeterminado: iluminada" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" +"Si access_provider=ldap y ldap_access_order=host, SSSD utilizará la " +"presencia del atributo host en la entrada LDAP del usuario para determinar " +"el privilegio de acceso." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" +"Una denegación explícita (¡host) se resuelve primero. Segundo, la búsqueda " +"SSSD para permiso explícito (host) y finalmente permitir todo (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" +"Por favor advierta que la opción de configuración ldap_access_order " +"<emphasis>debe</emphasis> incluir <quote>host</quote> con el objetivo de que " +"la opción ldap_user_authorized_host." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "Default: host" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" +msgstr "ldap_user_authorized_rhost (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" +"Si access_provider=ldap y ldap_access_order=rhost, SSSD usará la presencia " +"del atributo rhost en la entrada LDAP de usuario para determinar el " +"privilegio de acceso. Similarmente al proceso de verificación de host." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" +"Una denegación explícita (!rhost) se resuelve primero. Segundo, SSSD busca " +"permisos explícitos (rhost) y finalmente allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" +"Por favor advierta que la opción de configuración ldap_access_order " +"<emphasis>debe</emphasis> incluir <quote>rhost</quote> con el objetivo de " +"que la opción ldap_user_authorized_rhost trabaje." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" +msgstr "Predeterminado: rhost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "Nombre del atributo LDAP que contiene el certificado X509 del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "Predeterminado: userCertificate;binary" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" +msgstr "ldap_user_email (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" +"Nombre del atributo LDAP que contiene el correo electrónico del usuario." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" +"Aviso: Si una dirección de correo electrónico de un usuario entra en " +"conflicto con una dirección de correo electrónico o el nombre totalmente " +"cualificado de otro usuario, SSSD no será capaz de servir adecuadamente a " +"esos usuarios. Si por alguna de varias razones los usuarios necesitan " +"compartir la misma dirección de correo electrónico establezca esta opción a " +"un nombre de atributo no existente con elobjetivo de deshabilitar la " +"búsqueda/acceso por correo electrónico." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 -msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" +msgstr "Predeterminado: mail" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "La clase de objeto de una entrada de grupo LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Por defecto: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "El atributo LDAP que corresponde al nombre de grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Predeterminado: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "El atributo LDAP que corresponde al id del grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "El atributo LDAP que contiene los nombres de los miembros del grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Valor predeterminado: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "El atributo LDAP que contiene el UUID/GUID de un objeto grupo LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"El atributo LDAP que contiene el objectSID de un objeto grupo LDAP. Esto es " +"normalmente sólo necesario para servidores ActiveDirectory." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +#, fuzzy +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" +"El atributo LDAP que contiene un valor entero indicando el tipo del grupo y " +"puede ser otras banderas." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" +"Este atributo es actualmente usado por el proveedor AD para determinar si un " +"grupo está en grupos de dominio local y ha de ser sacado de los dominios de " +"confianza." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" +"Predeterminado: groupType en el proveedor AD, de otro modo no establecido" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" +msgstr "ldap_group_external_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" +"El atributo LDAP que referencia a los miembros de grupo que están definidos " +"en un dominio externo. En este momento, solo se soportan los miembros " +"externos de IPA." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" +"Predeterminado: ipaExternalMember en el proveedor IPA, de otro modo no " +"estabecido." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "La clase de objeto de una entrada netgroup en LDAP." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "En proveedor IPA, ipa_netgroup_object_class, se usaría en su lugar." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "Predeterminado: nisNetgroup" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -#, fuzzy -#| msgid "" -#| "This manual page describes the configuration of the AD provider for " -#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " -#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " -#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> manual page." -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." -msgstr "" -"Esta página de manual describe la configuración del proveedor AD para " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Para una referencia detallada de sintaxis, vea la sección " -"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "El atributo LDAP que corresponde al nombre del netgroup." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "Un proveedor IPA, ipa_netgroup_name sería usado en su lugar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" +"El atributo LDAP que contiene los nombres de los miembros de grupo de red." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (entero)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "Un proveedor IPA, ipa_netgroup_member sería usado en su lugar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "Predeterminado: memberNisNetgroup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" +"El atributo LDAP que contiene los (host, usuario, dominio) triples de grupo " +"de red." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id, max_id (entero)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "Esta opción no está disponible en el proveedor IPA." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Predeterminado: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Predeterminado: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" +msgstr "ldap_host_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." +msgstr "El objeto clase de una entrada host en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "Por defecto: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" +msgstr "ldap_host_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "El atributo LDAP que corresponde al nombre de host." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (entero)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "ldap_host_fqdn (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" +"El atributo LDAP que corresponde al nombre de dominio totalmente cualificado " +"del host." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Predeterminado: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "Predeterminado: fqdn" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" +msgstr "ldap_host_serverhostname (cadena)" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" +msgstr "Predeterminado: serverHostname" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" +msgstr "ldap_host_member_of (cadena)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "Atributo LDAP que lista los miembros del grupo del host." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" +msgstr "ldap_host_ssh_public_key (cadena)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "Atributo LDAP que contiene las claves públicas SSH del host." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "ldap_host_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "Atributo LDAP que contiene las UUID/GUID de un objeto host LDAP." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" -msgstr "" +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "SECCIONES DE SERVICIOS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." +msgstr "La clase objeto de una entrada de servicio en LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (cadena)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" +"El atributo LDAP que contiene el nombre de servicio de atributos y sus alias." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "El atributo LDAP que contiene el puerto manejado por este servicio." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "Por defecto: ipServicePort" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" +"El atributo LDAP que contiene los protocolos entendidos por este servicio." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "Por defecto: ipServiceProtocol" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "El objeto clase de una regla de entrada sudo en LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "Por defecto: sudoRole" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "El atributo LDAP que corresponde a la regla nombre de sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "El atributo LDAP que corresponde al nombre de comando." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "Por defecto: sudoCommand" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" +"El atributo LDAP que corresponde al nombre de host (o dirección IP del host, " +"red IP del host o grupo de red del host)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "Por defecto: sudoHost" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" +"El atributo LDAP que corresponde al nombre de usuario (o UID. nombre de " +"grupo o grupo de red del usuario)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "Por defecto: sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "El atributo LDAP que corresponde a las opciones sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "Por defecto: sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" +"El atributo LDAP que corresponde al nombre de usuario que los comandos " +"pueden ejecutar como." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "Por defectot: sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" +"El atributo LDAP que corresponde al nombre de grupo o GID de grupo que puede " +"ejecutar comandos como." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "Por defecto: sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" +"El atributo LDAP que corresponde al inicio de fecha/hora para cuando la " +"regla sudo es válida." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "Por defecto: sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" +"El atributo LDAP que corresponde a la fecha/hora final, después de la cual " +"la regla sudo dejará de ser válida." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "Por defecto: sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "El atributo LDAP que corresponde al índice de ordenación de la regla." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "Por defecto: sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "OPCIONES AUTOFS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." +msgstr "El objeto clase de una entrada de mapa de automontaje en LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" +"Predeterminado: nisMap (rfc2307, autofs_provider=ad), de otra manera " +"automountMap" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." +msgstr "El nombre de una entrada de mapa de automontaje en LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" +"Predeterminado: nisMapName (rfc2307, autofs_provider=ad), de otra manera " +"automountMapName" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" +"El objeto clase de una entrada de montaje automático en LDAP. La entrada " +"normalmente corresponde a un punto de montaje." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" +"Predeterminado: nisObject (rfc2307, autofs_provider=ad), de otra manera " +"automount" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (cadena)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" +"La clave de una entrada de automontaje en LDAP. La entrada corresponde " +"normalmente a un punto de montaje." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" +"Predeterminado: cn (rfc2307, autofs_provider=ad), de otra manera automountKey" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (cadena)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" +"Predeterminado: nisMapEntry (rfc2307, autofs_provider=ad), de otra manera " +"automountInformation" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 @@ -19046,3 +19789,17 @@ msgstr "" #~ msgid "Default: homeDirectory" #~ msgstr "Predeterminado: homeDirectory" + +#~ msgid "ldap_group_type (integer)" +#~ msgstr "ldap_group_type (entero)" + +#~ msgid "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#~ msgstr "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" diff --git a/src/man/po/eu.po b/src/man/po/eu.po index 58de2ef0ff5..60d333c050d 100644 --- a/src/man/po/eu.po +++ b/src/man/po/eu.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-14 11:55+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/" @@ -30,7 +30,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "" @@ -73,7 +73,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "" @@ -132,7 +132,7 @@ msgstr "" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "" @@ -141,7 +141,7 @@ msgstr "" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -292,12 +292,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -314,19 +314,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -349,8 +353,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -365,7 +369,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -413,19 +417,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "" @@ -445,7 +449,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -465,12 +469,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -478,39 +482,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -525,20 +529,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -546,52 +561,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -604,17 +619,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -624,7 +639,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -637,23 +652,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -663,7 +678,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -672,22 +687,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -695,67 +710,86 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 msgid "Default: sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -763,19 +797,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -783,24 +817,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -809,7 +843,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -817,8 +851,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -826,68 +874,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -898,7 +946,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -915,7 +963,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -932,12 +980,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -946,22 +994,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -971,17 +1019,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -991,18 +1039,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1010,24 +1058,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1035,12 +1083,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1052,58 +1100,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1111,7 +1159,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1121,7 +1169,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1130,17 +1178,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1148,17 +1196,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1166,17 +1214,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1185,7 +1233,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1194,41 +1242,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1236,23 +1284,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1260,47 +1308,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1308,112 +1356,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1424,96 +1472,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1521,59 +1569,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1582,61 +1630,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1644,7 +1692,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1653,17 +1701,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1671,31 +1719,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1705,75 +1753,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1781,19 +1829,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1801,12 +1849,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1814,77 +1862,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1892,7 +1940,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1904,63 +1952,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1968,12 +2016,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1984,7 +2032,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1992,7 +2040,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2000,7 +2048,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2009,12 +2057,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2025,24 +2073,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2052,22 +2100,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2075,51 +2123,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2128,24 +2176,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2156,7 +2231,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2167,24 +2242,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2192,12 +2267,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2206,24 +2281,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2233,66 +2308,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2300,17 +2375,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2318,7 +2393,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2326,22 +2401,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2350,14 +2425,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2366,38 +2441,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2406,24 +2481,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2432,29 +2507,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2468,14 +2543,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2484,39 +2559,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2525,19 +2600,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2548,115 +2623,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2665,42 +2740,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2708,24 +2783,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2734,17 +2809,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2753,34 +2828,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2788,7 +2863,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2796,8 +2871,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2806,8 +2881,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2815,19 +2890,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2836,7 +2911,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2844,22 +2919,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2871,7 +2946,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2879,19 +2954,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2899,7 +2974,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2907,35 +2982,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2943,19 +3018,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2964,7 +3039,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2972,29 +3047,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3002,7 +3077,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3010,35 +3085,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3046,32 +3121,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3082,7 +3157,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3091,12 +3166,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3104,7 +3179,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3112,31 +3187,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3144,7 +3219,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3153,17 +3228,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3171,43 +3246,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3215,7 +3290,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3223,7 +3298,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3231,24 +3306,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3256,12 +3331,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3271,7 +3346,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3280,29 +3355,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3310,7 +3385,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3320,59 +3395,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3381,77 +3456,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3459,7 +3534,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3468,17 +3543,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3486,34 +3561,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3521,32 +3596,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3556,34 +3631,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3592,19 +3667,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3612,24 +3687,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3638,24 +3713,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3665,14 +3740,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3680,21 +3755,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3702,7 +3777,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3711,7 +3786,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3720,7 +3795,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3728,29 +3803,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3758,12 +3833,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3772,12 +3847,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3785,19 +3860,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3814,7 +3889,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3822,17 +3897,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3841,7 +3916,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3851,7 +3926,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3871,12 +3946,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3884,73 +3959,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3958,17 +4033,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3977,17 +4052,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -3995,17 +4070,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4013,17 +4088,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4034,69 +4109,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4109,7 +4184,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4117,7 +4192,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4126,55 +4201,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4183,17 +4258,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4201,26 +4276,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4229,17 +4304,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4249,7 +4324,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4258,59 +4333,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4318,14 +4393,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4333,7 +4408,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4341,12 +4416,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4376,7 +4451,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4385,7 +4460,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4393,7 +4468,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4404,7 +4479,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4418,7 +4493,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4474,12 +4549,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4489,33 +4564,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4524,71 +4599,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4597,7 +4672,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4608,12 +4683,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4621,32 +4696,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4657,37 +4732,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4696,10725 +4771,10965 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1559 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1577 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 -msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 -msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 -msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 -msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 -msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 -msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:495 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:515 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:531 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:549 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 -msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 -msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:638 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:663 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:697 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:715 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:721 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 -msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:778 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:790 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:808 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 -msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 -msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#: sss_override.8.xml:32 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sss_override.8.xml:37 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 -msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 -msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 -msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"ldap_id_mapping = False\n" -" " +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 -msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap -msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 -msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 -msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 -msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#: sssd-krb5.5.xml:77 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#: sssd-krb5.5.xml:106 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#: sssd-krb5.5.xml:138 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 -msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#: sssd-krb5.5.xml:154 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#: sssd-krb5.5.xml:216 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#: sssd-krb5.5.xml:243 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#: sssd-krb5.5.xml:257 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#: sssd-krb5.5.xml:275 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#: sssd-krb5.5.xml:288 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#: sssd-krb5.5.xml:293 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:309 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 -msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#: sssd-krb5.5.xml:344 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:364 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:379 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:419 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:508 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:524 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 -msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:542 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:551 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 #, no-wrap msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#: sssd-krb5.5.xml:65 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#: sssd-krb5.5.xml:606 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#: sss_userdel.8.xml:32 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 -msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sss_groupdel.8.xml:32 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_usermod.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 -msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#: sss_usermod.8.xml:152 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 -msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 -msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#: sss_cache.8.xml:68 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_cache.8.xml:90 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#: sss_cache.8.xml:112 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#: sss_cache.8.xml:119 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 -msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#: sss_cache.8.xml:134 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 -msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#: sss_cache.8.xml:186 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#: sss_cache.8.xml:201 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 -msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#: sss_seed.8.xml:68 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 -msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_seed.8.xml:140 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_seed.8.xml:148 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#: sss_seed.8.xml:153 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 -msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sssd-ifp.5.xml:53 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sssd-ifp.5.xml:63 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 -msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 -msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:81 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 -msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +#: sssd-ifp.5.xml:117 msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 -msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 -msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#: sss_rpcidmapd.5.xml:87 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:91 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#: sss_rpcidmapd.5.xml:100 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#: sssd-files.5.xml:99 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#: sssd-files.5.xml:114 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 -msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 +msgid "" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#: sssd-secrets.5.xml:75 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 -msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:95 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:122 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#: sssd-secrets.5.xml:144 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 -msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 -msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:207 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:219 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:278 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:323 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:385 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:424 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:466 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 -msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:519 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:535 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 -msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:551 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +msgid "Default: 64" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-kcm.8.xml:237 +msgid "Default: 65536" msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 -msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 -msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-systemtap.5.xml:412 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 -msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 +msgid "" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 -msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 -msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 -msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -msgid "Default: 64" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -msgid "Default: 65536" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/fi.po b/src/man/po/fi.po index 56a9736b0ff..34eec244aa6 100644 --- a/src/man/po/fi.po +++ b/src/man/po/fi.po @@ -3,7 +3,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2017-03-24 08:46+0000\n" "Last-Translator: Toni Rantala <trantalafilo@gmail.com>\n" "Language-Team: Finnish\n" @@ -25,7 +25,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "SSSD ohjesivut" @@ -68,7 +68,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "KUVAUS" @@ -127,7 +127,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -136,7 +136,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -287,12 +287,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Oletus:tosi" @@ -309,19 +309,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Oletus:epätosi" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -344,8 +348,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -360,7 +364,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -408,19 +412,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "" @@ -440,7 +444,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -460,12 +464,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -473,39 +477,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "käyttäjänimi" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -520,20 +524,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -541,52 +556,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -599,17 +614,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -619,7 +634,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -632,23 +647,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Oletus: ei asetettu" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -658,7 +673,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -667,22 +682,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "Oletus: ei asetettu(välilyöntejä ei korvata)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -690,69 +705,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: false" msgid "Default: sha256" msgstr "Oletus:epätosi" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -760,19 +794,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -780,24 +814,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -806,7 +840,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -814,8 +848,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -823,68 +871,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -895,7 +943,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -912,7 +960,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -929,12 +977,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -943,22 +991,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -968,17 +1016,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -988,18 +1036,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1007,24 +1055,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1032,12 +1080,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1049,58 +1097,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1108,7 +1156,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1118,7 +1166,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1127,17 +1175,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1145,17 +1193,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1163,17 +1211,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1182,7 +1230,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1191,41 +1239,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1233,23 +1281,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1257,47 +1305,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1305,112 +1353,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1421,96 +1469,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1518,59 +1566,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1579,61 +1627,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1641,7 +1689,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1650,17 +1698,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1668,31 +1716,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1702,75 +1750,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1778,19 +1826,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1798,12 +1846,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1811,77 +1859,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1889,7 +1937,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1901,63 +1949,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1965,12 +2013,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1981,7 +2029,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1989,7 +2037,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -1997,7 +2045,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2006,12 +2054,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2022,24 +2070,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2049,22 +2097,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2072,51 +2120,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2125,24 +2173,53 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set (spaces will not be replaced)" +msgid "Default: not set, all found rules are used" +msgstr "Oletus: ei asetettu(välilyöntejä ei korvata)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2153,7 +2230,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2164,24 +2241,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2189,12 +2266,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2203,24 +2280,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2230,66 +2307,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2297,17 +2374,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2315,7 +2392,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2323,22 +2400,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2347,14 +2424,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2363,38 +2440,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2403,24 +2480,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2429,29 +2506,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2465,14 +2542,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2481,39 +2558,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2522,19 +2599,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2545,115 +2622,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2662,42 +2739,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2705,24 +2782,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2731,17 +2808,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2750,34 +2827,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2785,7 +2862,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2793,8 +2870,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2803,8 +2880,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2812,19 +2889,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2833,7 +2910,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2841,22 +2918,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2868,7 +2945,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2876,19 +2953,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2896,7 +2973,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2904,35 +2981,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2940,19 +3017,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2961,7 +3038,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2969,29 +3046,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -2999,7 +3076,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3007,35 +3084,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3043,32 +3120,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3079,7 +3156,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3088,12 +3165,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3101,7 +3178,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3109,31 +3186,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3141,7 +3218,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3150,17 +3227,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3168,43 +3245,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3212,7 +3289,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3220,7 +3297,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3228,24 +3305,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3253,12 +3330,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3268,7 +3345,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3277,29 +3354,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3307,7 +3384,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3317,59 +3394,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3378,77 +3455,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3456,7 +3533,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3465,17 +3542,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3483,34 +3560,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "ignore_group_members" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "ldap_purge_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "ldap_user_principal" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3520,32 +3597,32 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Esimerkki: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3555,34 +3632,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3591,19 +3668,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3611,24 +3688,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3637,24 +3714,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3664,14 +3741,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3679,21 +3756,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3701,7 +3778,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3710,7 +3787,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3719,7 +3796,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3727,29 +3804,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3757,12 +3834,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3771,12 +3848,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3784,19 +3861,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3813,7 +3890,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3821,17 +3898,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3840,7 +3917,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3850,7 +3927,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3870,12 +3947,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3883,73 +3960,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3957,17 +4034,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3976,17 +4053,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -3994,17 +4071,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4012,17 +4089,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4033,69 +4110,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4108,7 +4185,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4116,7 +4193,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4125,55 +4202,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4182,17 +4259,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4200,26 +4277,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4228,17 +4305,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4248,7 +4325,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4257,59 +4334,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4317,14 +4394,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4332,7 +4409,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4340,12 +4417,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4375,7 +4452,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4384,7 +4461,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4392,7 +4469,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4403,7 +4480,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4417,7 +4494,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4473,12 +4550,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4488,33 +4565,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4523,71 +4600,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4596,7 +4673,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4607,12 +4684,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4620,32 +4697,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4656,37 +4733,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4695,10735 +4772,10975 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1559 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#: sssd-ldap.5.xml:1577 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 -msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 -msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 -msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 -msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 -msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 -msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 -msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 -msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 -msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:475 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:495 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:515 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:531 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:549 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:554 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 -msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 -msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#: sssd-ad.5.xml:638 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:657 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:663 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 -msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:697 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:721 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:755 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:773 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:790 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:808 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 -msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1068 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#: sssd-ad.5.xml:1081 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 -msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 -msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#: sss_obfuscate.8.xml:32 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#: sss_obfuscate.8.xml:37 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sss_obfuscate.8.xml:49 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap -msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 -msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"ldap_id_mapping = False\n" -" " +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 -msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap -msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 -msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 -msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 -msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 -msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 -msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#: sssd-krb5.5.xml:106 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#: sssd-krb5.5.xml:116 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#: sssd-krb5.5.xml:138 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#: sssd-krb5.5.xml:154 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#: sssd-krb5.5.xml:216 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#: sssd-krb5.5.xml:243 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:275 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#: sssd-krb5.5.xml:293 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#: sssd-krb5.5.xml:309 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:344 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:419 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:433 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 -msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:465 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 -msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#: sssd-krb5.5.xml:65 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#: sssd-krb5.5.xml:606 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 +#: sssd-krb5.5.xml:614 #, no-wrap -msgid "sudoers: files sss\n" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 -msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#: sss_groupadd.8.xml:32 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 -msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#: sss_userdel.8.xml:32 msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#: sss_groupdel.8.xml:32 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_groupshow.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_groupshow.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#: sss_usermod.8.xml:82 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#: sss_usermod.8.xml:96 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 -msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 -msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 -msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 -msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 -msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#: sss_cache.8.xml:68 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_cache.8.xml:90 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 -msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#: sss_cache.8.xml:163 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 -msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#: sss_seed.8.xml:68 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 -msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_seed.8.xml:140 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_seed.8.xml:148 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#: sss_seed.8.xml:153 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 -msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sssd-ifp.5.xml:53 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sssd-ifp.5.xml:63 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 -msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 -msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:81 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sssd-ifp.5.xml:117 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sssd-ifp.5.xml:139 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 -msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 -msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#: sss_rpcidmapd.5.xml:91 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#: sss_rpcidmapd.5.xml:100 msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#: sss_rpcidmapd.5.xml:122 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 -msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 -msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 +msgid "" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 -msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 +msgid "" +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#: sssd-files.5.xml:99 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 -msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#: sssd-files.5.xml:114 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 -msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 -msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#: sssd-secrets.5.xml:75 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap -msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 -msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#: sssd-secrets.5.xml:207 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 -msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#: sssd-secrets.5.xml:231 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 -msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:310 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:335 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#: sssd-secrets.5.xml:347 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 -msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-kcm.8.xml:31 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#: sssd-kcm.8.xml:67 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:76 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:155 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:164 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:175 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 -msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 -msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (integer)" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "enum_cache_timeout (integer)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 +msgid "" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: true" +msgid "Default: 64" +msgstr "Oletus:tosi" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccache_size (integer)" +msgstr "enum_cache_timeout (integer)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 +msgid "" +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: true" +msgid "Default: 65536" +msgstr "Oletus:tosi" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 -msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 -msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 -msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 -#, no-wrap -msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap +msgid "" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 -msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 -msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 -msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 -msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-systemtap.5.xml:412 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-ldap-attributes.5.xml:23 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 -msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 -msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 -msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "enum_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: true" -msgid "Default: 64" -msgstr "Oletus:tosi" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccache_size (integer)" -msgstr "enum_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: true" -msgid "Default: 65536" -msgstr "Oletus:tosi" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/fr.po b/src/man/po/fr.po index 3a29bd79806..adea5d1a68b 100644 --- a/src/man/po/fr.po +++ b/src/man/po/fr.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2016-03-19 03:04+0000\n" "Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n" "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/" @@ -39,7 +39,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Pages de manuel de SSSD" @@ -85,7 +85,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "DESCRIPTION" @@ -155,7 +155,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -164,7 +164,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Formats de fichier et conventions" @@ -336,12 +336,12 @@ msgstr "" "la journalisation de débogage de SSSD, cette option sera ignorée." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Par défaut : true" @@ -361,19 +361,23 @@ msgstr "" "sera ignorée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Par défaut : false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -396,8 +400,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Par défaut : 10" @@ -412,7 +416,7 @@ msgid "The [sssd] section" msgstr "La section [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Paramètres de sections" @@ -466,12 +470,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -481,7 +485,7 @@ msgstr "" "d'abandonner" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Par défaut : 3" @@ -501,7 +505,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (chaîne)" @@ -523,12 +527,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -540,33 +544,33 @@ msgstr "" "domaine." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "nom d'utilisateur" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" "nom de domaine tel qu'indiqué dans le fichier de configuration de SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." @@ -576,7 +580,7 @@ msgstr "" "d'approbation IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -595,16 +599,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (booléen)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD gère l'état de resolv.conf pour identifier les besoins de mise à jour " "des résolutions DNS internes. Par défaut, l'utilisation de inotify sera " @@ -612,7 +635,7 @@ msgstr "" "secondes si inotify échoue." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -622,7 +645,7 @@ msgstr "" "conseillée. Dans ces rares cas, cette option devrait être définie à « false »" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -631,7 +654,7 @@ msgstr "" "sur les autres plates-formes." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -641,12 +664,12 @@ msgstr "" "utilisée." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -655,7 +678,7 @@ msgstr "" "de rejeu Kerberos." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -665,7 +688,7 @@ msgstr "" "relecture." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -674,12 +697,12 @@ msgstr "" "la construction du logiciel. (__LIBKRB5_DEFAULTS__ si non configuré)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "user (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -692,17 +715,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "Par défaut : non défini, le processus tourne en tant que root" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -718,7 +741,7 @@ msgstr "" "domaine." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 #, fuzzy #| msgid "" #| "Please note that if this option is set all users from the primary domain " @@ -744,23 +767,23 @@ msgstr "" "use_fully_qualified_names à False." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Par défaut : non défini" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "override_space (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -776,7 +799,7 @@ msgstr "" "défaut de l'interpréteur de commande." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -785,22 +808,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "Par défaut : non défini (les espaces ne seront pas remplacées)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -808,69 +831,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Par défaut : 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -878,19 +920,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -898,24 +940,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -924,7 +966,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -932,8 +974,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -941,68 +997,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -1013,7 +1069,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -1030,7 +1086,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "Par défaut : non défini" @@ -1053,12 +1109,12 @@ msgstr "" "l'identité des domaines. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "SECTIONS DE SERVICES" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1071,22 +1127,22 @@ msgstr "" "section doit être <quote>[nss]</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Options générales de configuration de service" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Ces options peuvent être utilisées pour configurer les services." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1101,17 +1157,17 @@ msgstr "" "valeur inférieure ou la limite « hard » de limits.conf." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "Par défault : 8192 (ou la limite « hard » de limits.conf)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1121,18 +1177,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Par défaut : 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1140,24 +1196,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "offline_timeout + random_offset" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "new_interval = old_interval*2 + random_offset" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1165,12 +1221,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1182,30 +1238,30 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Par défaut : 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "Options de configuration NSS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1213,12 +1269,12 @@ msgstr "" "Switch (NSS)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1227,17 +1283,17 @@ msgstr "" "énumérations (requêtes sur les informations de tous les utilisateurs)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Par défaut : 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1248,7 +1304,7 @@ msgstr "" "valeur de entry_cache_timeout pour le domaine." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1264,7 +1320,7 @@ msgstr "" "cache." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1277,17 +1333,17 @@ msgstr "" "de non réponse à moins de 10 secondes (0 pour désactiver l'option)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Par défaut : 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1299,17 +1355,17 @@ msgstr "" "appel au moteur." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Par défaut : 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1317,17 +1373,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1336,7 +1392,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1345,17 +1401,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Par défaut : root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (booléen)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1363,12 +1419,12 @@ msgstr "" "membres de groupes." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1377,7 +1433,7 @@ msgstr "" "explicitement spécifié par le fournisseur de données du domaine." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1385,7 +1441,7 @@ msgstr "" "override_homedir." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1395,25 +1451,25 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "exemple : <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" "Par défaut : non défini (aucune substitution pour les répertoires d'accueil " "non définis)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1425,17 +1481,17 @@ msgstr "" "section [nss], soit par domaine." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "Par défaut : indéfini (SSSD utilisera la valeur récupérée de LDAP)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" @@ -1443,14 +1499,14 @@ msgstr "" "indiquées. L'ordre d'évaluation est :" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" "1. Si l'interpréteur de commandes est présent dans <quote>/etc/shells</" "quote>, il est utilisé." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." @@ -1460,7 +1516,7 @@ msgstr "" "shell_fallback » sera utilisée." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." @@ -1469,12 +1525,12 @@ msgstr "" "ni dans <quote>/etc/shells</quote>, une connexion sans shell est utilisée." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1482,14 +1538,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" "Une chaîne vide pour l'interpréteur de commandes est passée telle quelle est " "à la libc." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." @@ -1499,31 +1555,31 @@ msgstr "" "est installé." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" "Par défaut : non défini. L'interpréteur de commandes de l'utilisateur est " "utilisé automatiquement." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" "Remplace toutes les occurences de ces interpréteurs de commandes par " "l'interpréteur de commandes par défaut" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" @@ -1531,17 +1587,17 @@ msgstr "" "commandes autorisé n'est pas installé sur la machine." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Par défaut : /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." @@ -1551,7 +1607,7 @@ msgstr "" "choix soit dans la section [nss], soit par domaine." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" @@ -1561,12 +1617,12 @@ msgstr "" "nécessaire, habituellement /bin/sh)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (int)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." @@ -1575,38 +1631,38 @@ msgstr "" "jugée valide." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (int)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "user_attributes (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1617,48 +1673,48 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "Par défaut : non défini, repli sur l'option InfoPipe" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "Cette option peut aussi être définie pour chaque domaine." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "Options de configuration de PAM" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1667,12 +1723,12 @@ msgstr "" "Module (PAM)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1682,17 +1738,17 @@ msgstr "" "connexion réussie)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Par défaut : 0 (pas de limite)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1701,12 +1757,12 @@ msgstr "" "échouées sont autorisées." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1716,7 +1772,7 @@ msgstr "" "soit possible." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1727,17 +1783,17 @@ msgstr "" "connexion réussie en ligne peut réactiver l'authentification." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Par défaut : 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1747,44 +1803,44 @@ msgstr "" "affichés sera important." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "Actuellement sssd supporte les valeurs suivantes :" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis> : ne pas afficher de message" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis> : afficher seulement les messages importants" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis> : afficher les messages d'information" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" "<emphasis>3</emphasis> : afficher tous les messages et informations de " "débogage" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Par défaut : 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1793,61 +1849,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1859,7 +1915,7 @@ msgstr "" "les dernières informations." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1873,17 +1929,17 @@ msgstr "" "fournisseur d'identité." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "Afficher une alerte N jours avant l'expiration du mot de passe." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1894,7 +1950,7 @@ msgstr "" "ne peut afficher de message d'alerte." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." @@ -1904,7 +1960,7 @@ msgstr "" "sera automatiquement affiché." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." @@ -1913,17 +1969,17 @@ msgstr "" "<emphasis>pwd_expiration_warning</emphasis> pour un domaine particulier." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Par défaut : 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "pam_trusted_users (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1933,37 +1989,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "pam_public_domains (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" "Deux valeurs spéciales pour l'option pam_public_domains sont définies :" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" @@ -1971,7 +2027,7 @@ msgstr "" "à tous les domaines PAM dans le répondeur.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" @@ -1980,33 +2036,33 @@ msgstr "" "autorisés à accéder à un des domaines PAM dans le répondeur.)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Par défaut : aucun" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "pam_account_expired_message (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -2014,19 +2070,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -2034,12 +2090,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -2047,77 +2103,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "Par défaut : False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2125,7 +2181,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2137,63 +2193,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2201,12 +2257,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2217,7 +2273,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2225,7 +2281,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2233,7 +2289,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2242,12 +2298,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "Options de configuration de SUDO" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2264,12 +2320,12 @@ msgstr "" "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (booléen)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." @@ -2278,12 +2334,12 @@ msgstr "" "les entrées sudoers sensibles au temps." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2293,22 +2349,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "Options de configuration AUTOFS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "Ces options peuvent être utilisées pour configurer le service autofs." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2320,23 +2376,23 @@ msgstr "" "moteur." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "Options de configuration SSH" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" "Les options suivantes peuvent être utilisées pour configurer le service SSH." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." @@ -2344,12 +2400,12 @@ msgstr "" "Condenser ou non les noms de systèmes et adresses du fichier known_hosts" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." @@ -2358,17 +2414,17 @@ msgstr "" "known_hosts géré après que ses clés de système ont été demandés." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "Par défaut : 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2377,24 +2433,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "ldap_user_certificate (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set (spaces will not be replaced)" +msgid "Default: not set, all found rules are used" +msgstr "Par défaut : non défini (les espaces ne seront pas remplacées)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "Options de configuration du répondeur PAC" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2405,7 +2492,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2416,7 +2503,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." @@ -2425,19 +2512,19 @@ msgstr "" "ajouté à ces groupes." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" "Les options suivantes peuvent être utilisées pour configurer le répondeur " "PAC." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2448,14 +2535,14 @@ msgstr "" "seront résolus en UID au démarrage." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" "Par défaut : 0 (seul l'utilisateur root est autorisé à accéder au répondeur " "PAC)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2468,24 +2555,24 @@ msgstr "" "0 à la liste des UID d'utilisateurs autorisés." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2495,66 +2582,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2562,17 +2649,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2580,7 +2667,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2588,22 +2675,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "SECTIONS DOMAINES" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2612,14 +2699,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2628,31 +2715,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id,max_id (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2661,7 +2748,7 @@ msgstr "" "dehors de ces limites, elle est ignorée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2674,7 +2761,7 @@ msgstr "" "qui sont dans la plage seront rapportés comme prévu." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." @@ -2683,17 +2770,17 @@ msgstr "" "pas seulement leur recherche par nom ou identifiant." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Default: 1 for min_id, 0 (no limit) for max_id" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2702,29 +2789,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = utilisateurs et groupes sont énumérés" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = aucune énumération pour ce domaine" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Par défaut : FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2738,7 +2825,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -2748,7 +2835,7 @@ msgstr "" "l'énumération ne se termine." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2762,7 +2849,7 @@ msgstr "" "fournisseur d'identité spécifique utilisé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." @@ -2771,32 +2858,32 @@ msgstr "" "déconseillée, surtout dans les environnements de grande taille." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "subdomain_enumerate (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "all" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "Tous les domaines approuvés découverts seront énumérés" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "none" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "Aucun domaine approuvé découvert ne sera énuméré" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2810,12 +2897,12 @@ msgstr "" "activer l'énumération pour ces seuls domaines." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -2824,7 +2911,7 @@ msgstr "" "comme valides avant de les redemander au moteur" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2842,17 +2929,17 @@ msgstr "" "rafraîchissement des entrées qui sont déjà en cache." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Par défaut : 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" @@ -2861,19 +2948,19 @@ msgstr "" "d'utilisateurs comme valides avant de les redemander au moteur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "Par défaut : entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" @@ -2882,12 +2969,12 @@ msgstr "" "groupes comme valides avant de les redemander au moteur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" @@ -2896,12 +2983,12 @@ msgstr "" "netgroup comme valides avant de les redemander au moteur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" @@ -2910,12 +2997,12 @@ msgstr "" "service valides avant de les redemander au moteur" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" @@ -2924,12 +3011,12 @@ msgstr "" "valides avant de les redemander au moteur" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" @@ -2938,12 +3025,12 @@ msgstr "" "cartes d'automontage comme valides avant de les redemander au moteur" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "entry_cache_ssh_host_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." @@ -2952,12 +3039,12 @@ msgstr "" "rafraichissement. I.e. combien de temps mettre la clé en cache." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." @@ -2967,7 +3054,7 @@ msgstr "" "enregistrements expirés ou sur le point de l'être." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2976,47 +3063,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" "Il est envisageable de configurer cette valeur à 3/4 * entry_cache_timeout." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "Par défaut : 0 (désactivé)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" "Détermine si les données d'identification de l'utilisateur sont aussi mis en " "cache dans le cache LDB local" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" "Les informations d'identification utilisateur sont stockées dans une table " "de hachage SHA512, et non en texte brut" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -3024,24 +3111,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "Par défaut : 8" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -3054,17 +3141,17 @@ msgstr "" "paramètre doit être supérieur ou égal à offline_credentials_expiration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Par défaut : 0 (illimité)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -3077,17 +3164,17 @@ msgstr "" "fournisseur oauth doit être configuré pour le moteur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "Par défaut : 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" @@ -3095,18 +3182,18 @@ msgstr "" "d'identification pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3114,7 +3201,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3126,8 +3213,8 @@ msgstr "" "LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3140,8 +3227,8 @@ msgstr "" "configuration de FreeIPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3153,12 +3240,12 @@ msgstr "" "d'Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." @@ -3168,7 +3255,7 @@ msgstr "" "communiqué à NSS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3182,7 +3269,7 @@ msgstr "" "trouve." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3194,22 +3281,22 @@ msgstr "" "qualifié sera demandé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "Par défaut : false (true si default_domain_suffix est utilisée)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "Ne pas envoyer les membres des groupes sur les recherches de groupes." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3221,7 +3308,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3229,12 +3316,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3243,7 +3330,7 @@ msgstr "" "pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3255,7 +3342,7 @@ msgstr "" "LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3266,7 +3353,7 @@ msgstr "" "citerefentry> pour plus d'informations sur la configuration de Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" @@ -3274,18 +3361,18 @@ msgstr "" "PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" "<quote>local</quote> : Fournisseur interne SSSD pour les utilisateurs locaux" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "<quote>none</quote> désactive l'authentification explicitement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3294,12 +3381,12 @@ msgstr "" "gérer les requêtes d'authentification." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3310,7 +3397,7 @@ msgstr "" "installés). Les fournisseurs internes spécifiques sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." @@ -3319,12 +3406,12 @@ msgstr "" "d'accès autorisé pour un domaine local." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "<quote>deny</quote> toujours refuser les accès." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3337,7 +3424,7 @@ msgstr "" "d'informations sur la configuration du module d'accès simple." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3345,22 +3432,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Par défaut : <quote>permit</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3369,7 +3456,7 @@ msgstr "" "domaine. Les fournisseurs pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3377,7 +3464,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3389,7 +3476,7 @@ msgstr "" "Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" @@ -3397,14 +3484,14 @@ msgstr "" "autre cible PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" "<quote>none</quote> pour désactiver explicitement le changement de mot de " "passe." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3413,19 +3500,19 @@ msgstr "" "peut gérer les changements de mot de passe." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" "Le fournisseur SUDO, utilisé pour le domaine. Les fournisseurs SUDO pris en " "charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3437,7 +3524,7 @@ msgstr "" "LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." @@ -3446,7 +3533,7 @@ msgstr "" "par défaut pour IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." @@ -3455,20 +3542,20 @@ msgstr "" "par défaut pour AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "<quote>none</quote> désactive explicitement SUDO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" "Par défaut : La valeur de <quote>id_provider</quote> est utilisée si elle " "est définie." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3479,7 +3566,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3488,12 +3575,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3504,7 +3591,7 @@ msgstr "" "fournisseur d'accès. Les fournisseurs selinux pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3516,14 +3603,14 @@ msgstr "" "IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" "<quote>none</quote> n'autorise pas la récupération explicite des paramètres " "selinux." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." @@ -3532,12 +3619,12 @@ msgstr "" "gérer le chargement selinux" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" @@ -3547,7 +3634,7 @@ msgstr "" "fournisseurs de sous-domaine pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3559,7 +3646,7 @@ msgstr "" "IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3568,18 +3655,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" "<quote>none</quote> désactive la récupération explicite des sous-domaines." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3587,37 +3674,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" @@ -3625,7 +3712,7 @@ msgstr "" "en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3637,7 +3724,7 @@ msgstr "" "LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3649,7 +3736,7 @@ msgstr "" "IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3657,17 +3744,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "<quote>none</quote> désactive explicitement autofs." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" @@ -3676,7 +3763,7 @@ msgstr "" "systèmes. Les fournisseurs de hostid pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3688,12 +3775,12 @@ msgstr "" "configuration de IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "<quote>none</quote> désactive explicitement hostid." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3709,7 +3796,7 @@ msgstr "" "domaine." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3722,22 +3809,22 @@ msgstr "" "styles différents pour les noms d'utilisateurs :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "username@domain.name" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "domain\\username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." @@ -3747,7 +3834,7 @@ msgstr "" "utilisateurs de domaines Windows." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3758,7 +3845,7 @@ msgstr "" "importe le domaine après »" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3768,17 +3855,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Par défaut : <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -3787,48 +3874,48 @@ msgstr "" "utiliser pour effectuer les requêtes DNS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Valeurs prises en charge :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" "ipv4_first : essayer de chercher une adresse IPv4, et en cas d'échec, " "essayer IPv6." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" "ipv4_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv4." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" "ipv6_first : essayer de chercher une adresse IPv6, et en cas d'échec, tenter " "IPv4." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" "ipv6_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv6." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Par défaut : ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3837,25 +3924,25 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Par défaut : 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -3864,54 +3951,54 @@ msgstr "" "du domaine faisant partie de la requête DNS de découverte de services." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" "Par défaut : utiliser la partie du domaine qui est dans le nom de système de " "la machine." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "Redéfinit le GID primaire avec la valeur spécifiée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "case_sensitive (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "True" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "False" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "Insensible à la casse." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "Preserving" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3923,7 +4010,7 @@ msgstr "" "sortie." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3932,17 +4019,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "Par défaut : true (false pour le fournisseur AD)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "subdomain_inherit (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3950,34 +4037,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "ignore_group_members" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "ldap_purge_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "ldap_user_principal" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3987,32 +4074,32 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "nom plat (NetBIOS) d'un sous-domaine." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -4028,7 +4115,7 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" @@ -4036,17 +4123,17 @@ msgstr "" "emphasis>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "Par défaut : <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" @@ -4054,12 +4141,12 @@ msgstr "" "ce domaine." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -4068,19 +4155,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -4088,24 +4175,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -4114,24 +4201,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -4141,14 +4228,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -4156,21 +4243,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -4178,7 +4265,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -4187,7 +4274,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -4196,7 +4283,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -4208,17 +4295,17 @@ msgstr "" "id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "Le proxy cible duquel PAM devient mandataire." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -4227,12 +4314,12 @@ msgstr "" "ou en créer une nouvelle et ajouter le nom de service ici." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -4243,12 +4330,12 @@ msgstr "" "$(libName)_$(function), par exemple _nss_files_getpwent." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4262,12 +4349,12 @@ msgstr "" "afin d'améliorer les performances." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4275,7 +4362,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4284,12 +4371,12 @@ msgstr "" "id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4306,7 +4393,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4314,17 +4401,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4333,7 +4420,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4343,7 +4430,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4363,12 +4450,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "La section du domaine local" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4379,29 +4466,29 @@ msgstr "" "dire un domaine qui utilise <replaceable>id_provider=local</replaceable>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" "L'interpréteur de commandes par défaut pour les utilisateurs créés avec les " "outils en espace utilisateur SSSD." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Par défaut : <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4410,17 +4497,17 @@ msgstr "" "replaceable> et l'utilisent comme dossier personnel." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Par défaut : <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (booléen)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." @@ -4429,17 +4516,17 @@ msgstr "" "utilisateurs. Peut être outrepassé par la ligne de commande." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Par défaut : TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (booléen)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." @@ -4448,12 +4535,12 @@ msgstr "" "suppression des utilisateurs. Peut être outrepassé par la ligne de commande." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (entier)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4464,17 +4551,17 @@ msgstr "" "défaut sur un répertoire personnel nouvellement créé." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Par défaut : 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4487,17 +4574,17 @@ msgstr "" "manvolnum> </citerefentry>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Par défaut : <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4508,17 +4595,17 @@ msgstr "" "précisé, la valeur par défaut est utilisée." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Par défaut : <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4529,17 +4616,17 @@ msgstr "" "code en retour de la commande n'est pas pris en compte." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Par défaut : None, aucune commande lancée" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4550,69 +4637,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4625,7 +4712,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4633,7 +4720,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4642,55 +4729,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4699,17 +4786,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4717,26 +4804,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4745,17 +4832,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4765,7 +4852,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4774,59 +4861,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4834,14 +4921,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4849,7 +4936,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4857,12 +4944,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4916,7 +5003,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4925,7 +5012,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4933,7 +5020,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4944,7 +5031,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4958,7 +5045,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -5028,12 +5115,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "OPTIONS DE CONFIGURATION" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -5049,18 +5136,18 @@ msgstr "" "la section de <quote>DÉCOUVERTE DE SERVICE</quote>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" "Le format de l'URI doit correspondre au format définit dans la RFC 2732 :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<host>[:port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" @@ -5068,17 +5155,17 @@ msgstr "" "entre crochets []" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "exemple : ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -5091,31 +5178,31 @@ msgstr "" "plus d'informations sur le repli et la redondance de serveurs." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "Pour activer la découverte de services, ldap_chpass_dns_service_name doit " "être défini." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Par défaut : vide, ldap_uri est donc utilisé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" "Le DN de base par défaut à utiliser pour effectuer les opérations LDAP sur " "les utilisateurs." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" @@ -5124,17 +5211,17 @@ msgstr "" "l'aide de la syntaxe :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "La portée peut être l'une des « base », « onelevel » ou « subtree »." #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" @@ -5142,14 +5229,14 @@ msgstr "" "Le filtre doit être un filtre de recherche LDAP valide tel que spécifié par " "http://www.ietf.org/rfc/rfc2254.txt" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Exemples :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -5158,7 +5245,7 @@ msgstr "" "dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -5167,7 +5254,7 @@ msgstr "" "(host=thishost)?dc=example.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -5180,7 +5267,7 @@ msgstr "" "à un comportement imprévisible sur les ordinateurs clients." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -5197,12 +5284,12 @@ msgstr "" "valeurs multiples ne sont pas permises." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -5214,32 +5301,32 @@ msgstr "" "également différer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "Quatre types de schéma sont actuellement pris en charge :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -5257,37 +5344,37 @@ msgstr "" "correspondant aux valeurs d'Active Directory 2008r2." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Par défaut : rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5296,59 +5383,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" "Le DN de connexion par défaut à utiliser pour effectuer les opérations LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" "Le type de jeton d'authentification pour le DN de connexion par défaut." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "Les deux mécanismes actuellement pris en charge sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Par défaut : password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5357,11794 +5444,12074 @@ msgstr "" "mots de passe en clair sont actuellement pris en charge." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "La classe d'objet d'une entrée utilisateur dans LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Par défaut : posixAccount" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" -"L'attribut LDAP correspondant à l'identifiant de connexion de l'utilisateur." +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" +"Certains serveurs d'annuaire, comme par exemple Active Directory, peuvent " +"délivrer la partie domaine de l'UPN en minuscules, ce qui peut faire échouer " +"l'authentification. Définir cette option à une valeur non nulle pour " +"utiliser un nom de domaine en majuscules." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." -msgstr "L'attribut LDAP correspondant à l'id de l'utilisateur." +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "par défaut : uidNumber" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Spécifie la durée en secondes pendant laquelle SSSD doit attendre avant " +"d'actualiser son cache d\"énumération d'enregistrements." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (chaîne)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" -"L'attribut LDAP correspondant à l'id du groupe primaire de l'utilisateur." +"Détermine la fréquence de vérification de la présence d'entrées inactives " +"dans le cache (telles que groupes sans membres et utilisateurs ne s'étant " +"jamais connectés) et de suppression pour économiser de l'espace." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "Par défaut : gidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" -msgstr "" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:352 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (chaîne)" +"Si ldap_schema est défini comme un format prenant en charge les groupes " +"imbriqués (par exemple RFC2307bis), alors cette option contrôle le nombre de " +"niveaux d'imbrication que SSSD suivra. Cette option n'a pas d'effet sur le " +"schéma RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "L'attribut LDAP correspondant au champ gecos de l'utilisateur." +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "Par défaut : gecos" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (chaîne)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Par défaut : 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" -"L'attribut LDAP qui contient le nom du répertoire personnel de l'utilisateur." +"Cette option active ou désactive l'utilisation de l'attribut Token-Groups " +"lors de l'initialisation des groupes pour les utilisateurs Active Directory " +"2008 et versions ultérieures." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (chaîne)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" -"L'attribut LDAP qui contient le chemin vers l'interpréteur de commandes de " -"l'utilisateur." +"Facultatif. Utiliser la chaîne donnée comme base de recherche pour héberger " +"des objets." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Par défaut : loginShell" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"Cf. <quote>ldap_search_base</quote> pour plus d'informations sur la " +"configuration des bases de recherche multiples." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Par défaut : la valeur de <emphasis>ldap_search_base</emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "ldap_user_uuid (chaîne)" +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" +"Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP " +"avant annulation et utilisation des résultats contenus dans le cache (et " +"activation du mode hors ligne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" -"Par défaut : non défini dans le cas général, objectGUID pour AD et " -"ipaUniqueID pour IPA" +"Note : cette option est susceptible de changer dans les prochaines version " +"de SSSD. Elle sera sûrement remplacée par une série de délais d'attente pour " +"différents types de recherches." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" -"L'attribut LDAP qui contient l'objectSID d'un objet d'utilisateur LDAP. Ceci " -"n'est habituellement nécessaire que pour les serveurs Active Directory." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" +"Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP " +"sur les utilisateurs et groupes avant annulation et utilisation des " +"résultats mis en cache (et activation du mode hors ligne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (chaîne)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" -"L'attribut LDAP qui contient l'horodatage de la dernière modification de " -"l'objet parent." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Par défaut : modifyTimestamp" +"Définit le délai d'attente (en secondes) après lequel les fonctions " +"<citerefentry> <refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " +"<manvolnum>2</manvolnum> </citerefentry> suivant un <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> rendent la main en cas d'inactivité." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (chaîne)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " -"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (date de changement du dernier mot de passe)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Par défaut : shadowLastChange" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (chaîne)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " -"nom de l'attribut LDAP correspondant à sa contrepartie<citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (durée de validité minimum du mot de passe)." +"Spécifie un délai d'attente (en secondes) pendant laquelle une connexion à " +"un serveur LDAP est maintenue. Passé ce délai, la connexion devra être " +"rétablie. Si ce paramètre est utilisé en parallèle avec SASL/GSSAPI, la plus " +"courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Par défaut : shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "Par défaut : 900 (15 minutes)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (chaîne)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " -"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (âge maximum du mot de passe)." +"Définit le nombre d'enregistrements à récupérer lors d'une requête LDAP. " +"Certains serveurs LDAP imposent une limite maximale par requête." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Par défaut : shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Par défaut : 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (chaîne)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " -"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (période d'avertissement du mot de passe)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Par défaut : shadowWarning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (chaîne)" +"Désactiver le contrôle de pagination LDAP. Cette option doit être utilisée " +"si le serveur LDAP signale qu'il prend en charge le contrôle de pagination " +"LDAP de l'objet RootDSE, mais qu'il n'est pas activé ou ne se comporte pas " +"correctement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " -"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (période d'inactivité du mot de passe)." +"Exemple : le serveurs OpenLDAP avec le module de contrôle de pagination " +"installé sur le serveur mais non activé le signaleront dans RootDSE mais il " +"sera impossible de l'utiliser." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Par défaut : shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Exemple : 389 DS a un bogue où il ne peut que soutenir qu'un seul contrôle " +"de pagination à la fois sur une connexion donnée. Sur les clients chargés, " +"cela peut entraîner l'échec de certaines demandes." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (chaîne)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." -msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=shadow ou " -"ldap_account_expire_policy=shadow, ce paramètre contient le nom de " -"l'attribut LDAP correspondant à sa contrepartie <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (date d'expiration du compte)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." +msgstr "Désactiver la récupération de plage Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Par défaut : shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"Active Directory limite le nombre de membres à récupérer par recherche à " +"l'aide de la stratégie MaxValRange (qui prend la valeur par défaut de 1500 " +"membres). Si un groupe contient plus de membres, la réponse inclura une " +"extension de plage spécifique à Active Directory. Cette option désactive " +"l'analyse de cette extension de plage, les groupes de grande taille " +"apparaissant ainsi sans aucun membre." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (chaîne)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient " -"le nom de l'attribut LDAP stockant la date et l'heure du dernier changement " -"de mot de passe dans kerberos." +"Lors de la communication avec un serveur LDAP en utilisant SASL, spécifie le " +"niveau de sécurité minimal nécessaire pour établir la connexion. Les valeurs " +"de cette option sont définies par OpenLDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Par défaut : krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Par défaut : Utiliser la valeur par défaut du système (généralement spécifié " +"par ldap.conf)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (chaîne)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient " -"le nom de l'attribut LDAP stockant la date et l'heure d'expiration du mot de " -"passe actuel." +"Définit le nombre de membres du groupe qui doivent manquer au sein du cache " +"interne afin de déclencher une recherche de déréférencement. Si le nombre de " +"membres manquants est inférieur, ils sont recherchés individuellement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Par défaut : krbPasswordExpiration" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (chaîne)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" -"Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre " -"contient le nom d'un attribut LDAP stockant la date d'expiration du compte." +"Une recherche de déréférencement est un moyen pour récupérer tous les " +"membres d'un groupe avec un seul appel LDAP. Plusieurs serveurs LDAP peuvent " +"avoir différentes méthodes de déréférencement. Les serveurs actuellement " +"acceptés sont 389/RHDS, OpenLDAP et Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "Par défaut : accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Remarque :</emphasis> Si l'une des bases de recherche spécifie un " +"filtre de recherche, alors l'amélioration de la performance de recherche de " +"déréférencement est désactivée indépendamment de ce paramètre." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (chaîne)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" -"Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre " -"contient le nom d'un attribut LDAP stockant le champ de bits de contrôle du " -"compte utilisateur." +"Définit les vérifications à effectuer sur les certificats serveur sur une " +"session TLS, si elle existe. Une des valeurs suivantes est utilisable :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "Par défaut : userAccountControl" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (chaîne)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> : le client ne demandera ni ne vérifiera un " +"quelconque certificat du serveur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" -"Lors de l'utilisation de ldap_account_expire_policy=rhds ou équivalent, ce " -"paramètre détermine si l'accès est autorisé ou non." +"<emphasis>allow</emphasis> : le certificat serveur est demandé. Si aucun " +"certificat n'est fournit, la session continue normalement. Si un mauvais " +"certificat est fourni, il est ignoré et la session continue normalement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "Par défaut : nsAccountLock" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (chaîne)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> : le certificat serveur est demandé. Si aucun " +"certificat n'est fourni, la session continue normalement. Si un mauvais " +"certificat est fourni, la session se termine immédiatement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" -"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " -"détermine si l'accès est autorisé ou non." +"<emphasis>demand</emphasis> : le certificat serveur est demandé. Si aucun " +"certificat ou un mauvais certificat est fourni, la session se termine " +"immédiatement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "Par défaut : loginDisabled" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (chaîne)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> : identique à <quote>demand</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." -msgstr "" -"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " -"détermine jusqu'à quand l'accès est autorisé." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Par défaut : hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (chaîne)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" -"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " -"détermine les heures des jours dans la semaine pendant lesquelles l'accès " -"est autorisé." +"Définit le fichier qui contient les certificats pour toutes les autorités de " +"certification que <command>sssd</command> reconnaîtra." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "Par défaut : loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Par défaut : utilise les paramètres par défaut de OpenLDAP, en général dans " +"<filename>/etc/openldap/ldap.conf</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (chaîne)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" -"L'attribut LDAP contenant le nom du principal d'utilisateur (UPN) Kerberos " -"de l'utilisateur." +"Spécifie le chemin d'un dossier qui contient les certificats de l'autorité " +"de certificats dans des fichiers séparés. Usuellement, les noms de fichiers " +"sont la somme de contrôle du certificat suivi de « .0 ». Si disponible, " +"<command>cacertdir_rehash</command> peut être utilisé pour créer les noms " +"corrects." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Par défaut : krbPrincipalName" +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "Définit le fichier qui contient le certificat pour la clef du client." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "ldap_user_extra_attrs (chaîne)" +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." -msgstr "" -"Liste séparée par des virgules des attributs LDAP que SSSD va demander en " -"plus des attributs utilisateur habituels." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "Définit le fichier qui contient la clef du client." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 +#: sssd-ldap.5.xml:741 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -"La liste ne peut contenir que des noms d'attributs LDAP, ou des tuples " -"séparés par des virgules de nom d'attribut de cache et nom d'attribut LDAP. " -"Dans le cas où seul le nom d'un attribut LDAP est indiqué, l'attribut est " -"enregistré tel quel dans le cache. L'utilisation d'un nom d'attribut SSSD " -"peut être nécessaire pour les environnements configurant plusieurs domaines " -"SSSD utilisant des schémas LDAP différents." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:757 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" -"Veuillez noter que plusieurs noms d'attributs sont réservés par SSSD, dont " -"l'attribut <quote>name</quote>. SSSD émettrait une erreur si l'un des noms " -"d'attributs réservés est utilisé par un nom d'attribut supplémentaire." +"Définit le fait que le fournisseur d'identité de connexion doit aussi " +"utiliser <systemitem class=\"protocol\">tls</systemitem> pour protéger le " +"canal." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:770 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" -"Enregistrer l'attribut LDAP <quote>telephoneNumber</quote> en tant que " -"<quote>telephoneNumber</quote> dans le cache." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" -msgstr "ldap_user_extra_attrs = phone:telephoneNumber" +"Indique que SSSD doit tenter de trouver les correspondances des ID " +"d'utilisateur et de groupe dans les attributs ldap_user_objectsid et " +"ldap_group_objectsid au lieu d'utiliser ldap_user_uid_number et " +"ldap_group_gid_number." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" -"Enregistrer l'attribut LDAP <quote>telephoneNumber</quote> en tant que " -"<quote>phone</quote> dans le cache." +"Cette fonctionnalité ne prend actuellement en charge que la correspondance " +"par objectSID avec Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (chaîne)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." -msgstr "L'attribut LDAP qui contient les clés publiques SSH de l'utilisateur." +#: sssd-ldap.5.xml:789 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"Au contraire de la mise en correspondance d'identifiants s'appuyant sur les " +"SID utilisée si ldap_id_mapping est positionné à true, les plages " +"d'identifiants autorisés pour ldap_user_uid_number et ldap_group_gid_number " +"n'ont pas de limite. Dans une configuration avec des sous-domaines ou des " +"domaines approuvés, cela peut engendrer des collisions. Pour les éviter, " +"ldap_min_id et ldap_max_id peuvent être configurés afin de restreindre les " +"plages d'identifiants autorisées lues directement depuis le serveur. Les " +"sous-domaines peuvent ensuite choisir d'autres plages pour leurs propres " +"identifiants." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" -msgstr "Par défaut : sshPublicKey" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" +msgstr "Par défaut : non indiqué (les deux options sont à 0)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (booléen)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:810 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" -"Certains serveurs d'annuaire, comme par exemple Active Directory, peuvent " -"délivrer la partie domaine de l'UPN en minuscules, ce qui peut faire échouer " -"l'authentification. Définir cette option à une valeur non nulle pour " -"utiliser un nom de domaine en majuscules." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:814 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Spécifie la durée en secondes pendant laquelle SSSD doit attendre avant " -"d'actualiser son cache d\"énumération d'enregistrements." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (entier)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -"Détermine la fréquence de vérification de la présence d'entrées inactives " -"dans le cache (telles que groupes sans membres et utilisateurs ne s'étant " -"jamais connectés) et de suppression pour économiser de l'espace." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:833 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (chaîne)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "L'attribut LDAP correspondant au nom complet de l'utilisateur." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Par défaut : cn" +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" +msgstr "Par défaut : host/hostname@REALM" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (chaîne)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" -"L'attribut LDAP énumérant les groupes auquel appartient un utilisateur." +"Spécifie le domaine SASL à utiliser. Si non spécifié, cette option prend par " +"défaut la valeur de krb5_realm. Si le ldap_sasl_authid contient aussi le " +"domaine, cette option est ignorée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "Par défaut : memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "Par défaut : la valeur de krb5_realm." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (chaîne)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" -"Lorsque access_provider=ldap et ldap_access_order=authorized_service, SSSD " -"utilise la présence de l'attribut authorizedService dans l'entrée LDAP de " -"l'utilisateur pour déterminer les autorisations d'accès." +"Si true, la bibliothèque LDAP effectue une recherche inversée pour canoniser " +"le nom de l'hôte au cours d'une liaison SASL." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." -msgstr "" -"Le refus explicite (!svc) est résolu en premier. Ensuite, SSSD cherche une " -"autorisation explicite (svc) et enfin allow_all (*)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." -msgstr "" -"Noter que l'option de configuration ldap_access_order <emphasis>doit</" -"emphasis> inclure <quote>authorized_service</quote> de façon à permettre à " -"l'option ldap_user_authorized_service de fonctionner." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Défaut : false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "Par défaut : authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Par défaut : le fichier keytab du système, normalement <filename>/etc/krb5." +"keytab</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (chaîne)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -"Si access_provider=ldap et ldap_access_order=host, SSSD va utiliser la " -"présence de l'attribut host dans l'entrée LDAP de l'utilisateur pour " -"déterminer les autorisations d'accès." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." -msgstr "" -"Le refus explicite (!host) est résolu en premier. SSSD recherche ensuite les " -"autorisations explicites (host) et enfin toutes les autorisations (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" -"Noter que l'option de configuration ldap_access_order <emphasis>doit</" -"emphasis> inclure <quote>host</quote> de façon à permettre à l'option " -"ldap_user_authorized_host de fonctionner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "Par défaut : host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Par défaut : 86400 (24 heures)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" +"Spécifie par ordre de préférence la liste séparée par des virgules des " +"adresses IP ou des noms de systèmes des serveurs Kerberos auquel SSSD doit " +"se connecter. Pour plus d'informations sur la redondance de bascule et la " +"redondance de serveur, consulter la section <quote>BASCULE</quote>. Un " +"numéro de port facultatif (précédé de deux-points) peut être ajouté aux " +"adresses ou aux noms de systèmes. Si vide, la découverte de services est " +"activée - pour plus d'informations, se reporter à la section de " +"<quote>DÉCOUVERTE DE SERVICES</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" +"Lors de l'utilisation de découverte de services pour le KDC ou les serveurs " +"kpasswd, SSSD recherche en premier les entrées DNS qui définissent _udp " +"comme protocole, et passe sur _tcp si aucune entrée n'est trouvée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" +"Cette option s'appelait <quote>krb5_kdcip</quote> dans les versions " +"précédentes de SSSD. Bien que ce nom soit toujours reconnu à l'heure " +"actuelle, il est conseillé de migrer les fichiers de configuration vers " +"l'utilisation de <quote>krb5_server</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" -msgstr "ldap_user_certificate (chaîne)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" +"Par défaut : valeur par défaut du système, voir <filename>/etc/krb5.conf</" +"filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" +"Spécifie si le principal de l'hôte doit être rendu canonique lors de la " +"connexion au serveur LDAP. Cette fonctionnalité est disponible avec MIT " +"Kerberos > = 1.7" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" +"Indique si SSSD doit préciser aux bibliothèques Kerberos quels domaine et " +"KDC utiliser. Cette option est activée par défaut, si elle est désactivée, " +"la bibliothèque Kerberos doit être configurée à l'aide du fichier de " +"configuration <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" +"Consulter la page de manuel de <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> pour plus d'informations sur le greffon de " +"localisation." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (chaîne)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "La classe d'objet d'une entrée de groupe dans LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"Détermine la politique d'expiration des mots de passe côté client. Les " +"valeurs suivantes sont acceptées :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Par défaut : posixGroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (chaîne)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> : aucun évaluation du côté client. Cette option ne " +"peut pas désactiver la politique sur les mots de passe du côté serveur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "L'attribut LDAP correspondant au nom du groupe." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> - Utiliser les attributs de style " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour évaluer si le mot de passe a expiré." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (chaîne)" +"<emphasis>mit_kerberos</emphasis> : utilise les attributs utilisés par MIT " +"Kerberos pour déterminer si le mot de passe a expiré. Utiliser " +"chpass_provider=krb5 afin de modifier ces attributs lorsque le mot de passe " +"est changé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "L'attribut LDAP correspondant à l'identifiant de groupe." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" +"<emphasis>Note</emphasis> : si une politique de mots de passe est configurée " +"côté serveur, elle prend le pas sur la politique indiquée avec cette option." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "L'attribut LDAP contenant les noms des membres du groupe." +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "Par défaut : memberuid (rfc2307) / member (rfc2307bis)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" -msgstr "ldap_group_uuid (chaîne)" +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "Définit si le déréférencement automatique doit être activé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (string)" +"Veuillez noter que sssd ne supporte que le déréférencement que lorsqu'il est " +"compilé avec OpenLDAP version 2.4.13 ou supérieur." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1062 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" -"L'attribut LDAP qui contient l'objectSID d'un objet de groupe LDAP. Ceci " -"n'est habituellement nécessaire que pour les serveurs Active Directory." +"La déréférenciation de références peut subir une altération notable des " +"performances dans les environnements qui les utilisent fortement, un exemple " +"notable étant Microsoft Active Directory. Si votre installation ne nécessite " +"pas l'utilisation des références, affecter false à cette option devrait " +"permettre d'améliorer de façon notable les performances." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" -msgstr "ldap_group_type (entier)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 -msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -"L'attribut LDAP qui contient une valeur entière indiquant le type de groupe " -"voire d'autres indicateurs." +"Définit le nom de service à utiliser quand la découverte de services est " +"activée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Par défaut : ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1092 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" -"Cet attribut est actuellement utilisé uniquement par le fournisseur AD pour " -"déterminer si un groupe est un groupe de domaine local et doit être filtré " -"hors des domaines approuvés." +"Définit le nom de service à utiliser pour trouver un serveur LDAP autorisant " +"un changement de mot de passe quand la découverte de services est activée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" +"Par défaut : non défini, c'est-à-dire que le service de découverte est " +"désactivé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1106 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" +"Spécifie s'il faut mettre à jour l'attribut ldap_user_shadow_last_change " +"avec le nombre de jours depuis Epoch après l'opération de changement de mot " +"de passe." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (entier)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1121 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -"Si ldap_schema est défini comme un format prenant en charge les groupes " -"imbriqués (par exemple RFC2307bis), alors cette option contrôle le nombre de " -"niveaux d'imbrication que SSSD suivra. Cette option n'a pas d'effet sur le " -"schéma RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Exemple :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Par défaut : 2" +"Cet exemple signifie que l'accès à cet hôte est restreint aux utilisateurs " +"dont l'attribut employeeType est « admin »." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1153 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" -"Cette option active ou désactive l'utilisation de l'attribut Token-Groups " -"lors de l'initialisation des groupes pour les utilisateurs Active Directory " -"2008 et versions ultérieures." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "Par défaut : vide" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (chaîne)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "La classe d'objet d'une entrée de netgroup dans LDAP." +#: sssd-ldap.5.xml:1170 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Avec cette option une évaluation du côté client des contrôles d'accès peut " +"être activée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" -"Pour un fournisseur IPA, ipa_netgroup_object_class doit être utilisé à la " -"place." +"Veuillez noter qu'il est toujours recommandé d'utiliser un contrôle d'accès " +"du côté serveur, c'est-à-dire que le serveur LDAP doit refuser une requête " +"de connexion avec un code erreur approprié même si le mot de passe est " +"correct." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "Par défaut : nisNetgroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (chaîne)" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "Les valeurs suivantes sont autorisées :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "L'attribut LDAP correspondant au nom du netgroup." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis> : utiliser la valeur de ldap_user_shadow_expire " +"pour déterminer si le compte a expiré." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -"Dans le fournisseur IPA, ipa_netgroup_name doit être utilisé à la place." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (chaîne)" +"<emphasis>ad</emphasis> : utilise la valeur du champ 32 bits " +"ldap_user_ad_user_account_control et autorise l'accès si le deuxième bit " +"n'est pas défini. Si l'attribut est manquant, l'accès est autorisé. La date " +"d'expiration du compte est aussi vérifiée." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." -msgstr "L'attribut LDAP contenant les noms des membres du netgroup." +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis> : utilise la valeur de ldap_ns_account_lock afin de vérifier si " +"l'accès est autorisé ou non." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" -"Dans le fournisseur IPA, ipa_netgroup_member doit être utilisé à la place." +"<emphasis>nds</emphasis> : les valeurs de " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled et " +"ldap_user_nds_login_expiration_time sont utilisées pour vérifier si l'accès " +"est autorisé. Si les deux attributs sont manquants, l'accès est autorisé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "Par défaut : memberNisNetgroup" +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" +"Noter que l'option de configuration ldap_access_order <emphasis>doit</" +"emphasis> inclure <quote>expire</quote> de façon à permettre à l'option " +"ldap_account_expire_policy de fonctionner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (chaîne)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 -msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" -"L'attribut LDAP contenant les triplets (hôte, utilisateur, domaine) d'un " -"netgroup." +"Liste séparées par des virgules des options de contrôles d'accès. Les " +"valeurs autorisées sont :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." -msgstr "Cette option n'est pas disponible dans le fournisseur IPA." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis> : utiliser ldap_access_filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Par défaut : nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "Par défaut : ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" -msgstr "" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: utiliser ldap_account_expire_policy" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1272 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" +"<emphasis>authorized_service</emphasis> : utiliser l'attribut " +"authorizedService pour déterminer l'accès" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" +"<emphasis>host</emphasis> : utilise l'attribut host pour déterminer l'accès" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -"Facultatif. Utiliser la chaîne donnée comme base de recherche pour héberger " -"des objets." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1312 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" -"Cf. <quote>ldap_search_base</quote> pour plus d'informations sur la " -"configuration des bases de recherche multiples." - -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "Par défaut : la valeur de <emphasis>ldap_search_base</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Par défaut : filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" +"Veuillez noter qu'une valeur utilisée plusieurs fois résulte en une erreur " +"de configuration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" -msgstr "" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Exemple : cn=ppolicy,ou=policies,dc=example,dc=com" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." -msgstr "La classe d'objet d'une entrée de service LDAP." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (string)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (chaînes)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1350 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -"L'attribut LDAP qui contient le nom des attributs de service et de leurs " -"alias." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (string)" +"Définit comment le déréférencement de l'alias est effectué lors d'une " +"recherche. Les options suivantes sont autorisées :" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." -msgstr "L'attribut LDAP qui contient le port géré par ce service." +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis> : les alias ne sont jamais déréférencés." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "Par défaut : ipServicePort" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (string)" +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis> : Les alias sont déréférencés comme des " +"subordonnés de l'objet de base, mais pas en localisant l'objet de base de la " +"recherche." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1364 msgid "" -"The LDAP attribute that contains the protocols understood by this service." -msgstr "L'attribut LDAP qui contient les protocoles compris par ce service." +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis> : les alias sont seulement déréférencés lors de " +"la localisation de l'objet de base de la recherche." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "Par défaut : ipServiceProtocol" +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis> : les alias sont déréférencés à la fois pour la " +"recherche et et la localisation de l'objet de base de la recherche." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Par défaut : vide (ceci est traité comme <emphasis>never</emphasis> par les " +"bibliothèques clientes LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (entier)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1385 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -"Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP " -"avant annulation et utilisation des résultats contenus dans le cache (et " -"activation du mode hors ligne)" +"Permet de conserver les utilisateurs locaux en tant que membres d'un groupe " +"LDAP pour les serveurs qui utilisent le schéma RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1389 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -"Note : cette option est susceptible de changer dans les prochaines version " -"de SSSD. Elle sera sûrement remplacée par une série de délais d'attente pour " -"différents types de recherches." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (entier)" +"Dans certains environnements où le schéma RFC2307 est utilisé, les " +"utilisateurs locaux deviennent membres du groupes LDAP en ajoutant leurs " +"noms à l'attribut memberUid. La cohérence du domaine est compromise quand " +"cela est fait, SSSD supprimerait normalement les utilisateurs « disparus » " +"des appartenances aux groupes mises en cache dès que nsswitch essaie de " +"récupérer des informations sur l'utilisateur via des appels à getpw*() ou " +"initgoups()." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1400 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -"Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP " -"sur les utilisateurs et groupes avant annulation et utilisation des " -"résultats mis en cache (et activation du mode hors ligne)" +"Cette option vérifie en dernier recours si les utilisateurs locaux sont " +"référencés et les met en cache afin que des appels ultérieurs à initgoups() " +"ajoutent les utilisateurs locaux aux groupes LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (entier)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1415 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -"Définit le délai d'attente (en secondes) après lequel les fonctions " -"<citerefentry> <refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " -"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " -"<manvolnum>2</manvolnum> </citerefentry> suivant un <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> rendent la main en cas d'inactivité." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (entier)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 -msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (entier)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Spécifie un délai d'attente (en secondes) pendant laquelle une connexion à " -"un serveur LDAP est maintenue. Passé ce délai, la connexion devra être " -"rétablie. Si ce paramètre est utilisé en parallèle avec SASL/GSSAPI, la plus " -"courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée." +"Toutes les options de configuration communes appliquées aux domaines SSSD " +"s'appliquent aussi aux domaines LDAP. Voir la section des <quote>SECTIONS DE " +"DOMAINE</quote> dans la page de manuel <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour plus de " +"détails. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "Par défaut : 900 (15 minutes)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "OPTIONS DE SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (entier)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1449 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" -"Définit le nombre d'enregistrements à récupérer lors d'une requête LDAP. " -"Certains serveurs LDAP imposent une limite maximale par requête." +"La durée en secondes pendant laquelle SSSD va attendre entre deux " +"actualisations complètes des règles de sudo (qui téléchargent toutes les " +"règles qui sont stockées sur le serveur)." -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Par défaut : 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"La valeur doit être supérieure à <emphasis>ldap_sudo_smart_refresh_interval</" +"emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "Par défaut : 21600 (6 heures)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1468 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -"Désactiver le contrôle de pagination LDAP. Cette option doit être utilisée " -"si le serveur LDAP signale qu'il prend en charge le contrôle de pagination " -"LDAP de l'objet RootDSE, mais qu'il n'est pas activé ou ne se comporte pas " -"correctement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1474 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" -"Exemple : le serveurs OpenLDAP avec le module de contrôle de pagination " -"installé sur le serveur mais non activé le signaleront dans RootDSE mais il " -"sera impossible de l'utiliser." +"Si les attributs USN ne sont pas pris en charge par le serveur, l'attribut " +"modifyTimestamp est utilisé à la place." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1478 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" -"Exemple : 389 DS a un bogue où il ne peut que soutenir qu'un seul contrôle " -"de pagination à la fois sur une connexion donnée. Sur les clients chargés, " -"cela peut entraîner l'échec de certaines demandes." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (booléen)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "Désactiver la récupération de plage Active Directory." +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#: sssd-ldap.5.xml:1498 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" -"Active Directory limite le nombre de membres à récupérer par recherche à " -"l'aide de la stratégie MaxValRange (qui prend la valeur par défaut de 1500 " -"membres). Si un groupe contient plus de membres, la réponse inclura une " -"extension de plage spécifique à Active Directory. Cette option désactive " -"l'analyse de cette extension de plage, les groupes de grande taille " -"apparaissant ainsi sans aucun membre." +"Si true, SSSD téléchargera les seules règles qui s'appliquent à cette " +"machine (à l'aide de l'adresse de système ou de réseau IPv4 ou IPv6 et des " +"noms de systèmes)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#: sssd-ldap.5.xml:1512 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -"Lors de la communication avec un serveur LDAP en utilisant SASL, spécifie le " -"niveau de sécurité minimal nécessaire pour établir la connexion. Les valeurs " -"de cette option sont définies par OpenLDAP." +"Liste séparés par des espaces des noms de systèmes ou de domaines qui " +"doivent être utilisés pour filtrer les règles." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" -"Par défaut : Utiliser la valeur par défaut du système (généralement spécifié " -"par ldap.conf)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (entier)" +"Si cette option est vide, SSSD va essayer de découvrir automatiquement le " +"nom de système et le nom de domaine pleinement qualifié." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -"Définit le nombre de membres du groupe qui doivent manquer au sein du cache " -"interne afin de déclencher une recherche de déréférencement. Si le nombre de " -"membres manquants est inférieur, ils sont recherchés individuellement." +"Si <emphasis>ldap_sudo_use_host_filter</emphasis> est <emphasis>false</" +"emphasis>, alors cette option n'a aucun effet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." -msgstr "" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" +msgstr "Par défaut : non spécifié" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#: sssd-ldap.5.xml:1536 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -"Une recherche de déréférencement est un moyen pour récupérer tous les " -"membres d'un groupe avec un seul appel LDAP. Plusieurs serveurs LDAP peuvent " -"avoir différentes méthodes de déréférencement. Les serveurs actuellement " -"acceptés sont 389/RHDS, OpenLDAP et Active Directory." +"Liste séparés par des espaces d'adresses de système ou de réseaux IPv4 ou " +"IPv6 qui doivent être utilisés pour filtrer les règles." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#: sssd-ldap.5.xml:1541 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" -"<emphasis>Remarque :</emphasis> Si l'une des bases de recherche spécifie un " -"filtre de recherche, alors l'amélioration de la performance de recherche de " -"déréférencement est désactivée indépendamment de ce paramètre." +"Si cette option est vide, SSSD va essayer de découvrir les adresses " +"automatiquement." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (chaîne)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 +#: sssd-ldap.5.xml:1559 msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"Définit les vérifications à effectuer sur les certificats serveur sur une " -"session TLS, si elle existe. Une des valeurs suivantes est utilisable :" +"Si elle est vraie alors SSSD téléchargera toutes les règles qui contient un " +"netgroup dans l'attribut sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#: sssd-ldap.5.xml:1577 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"<emphasis>never</emphasis> : le client ne demandera ni ne vérifiera un " -"quelconque certificat du serveur." +"Si positionnée à true, SSSD téléchargera toutes les règles qui contiennent " +"un joker dans l'attribut sudoHost." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -"<emphasis>allow</emphasis> : le certificat serveur est demandé. Si aucun " -"certificat n'est fournit, la session continue normalement. Si un mauvais " -"certificat est fourni, il est ignoré et la session continue normalement." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -"<emphasis>try</emphasis> : le certificat serveur est demandé. Si aucun " -"certificat n'est fourni, la session continue normalement. Si un mauvais " -"certificat est fourni, la session se termine immédiatement." +"Cette page de manuel décrit uniquement le mappage de noms d'attribut. Pour " +"une explication détaillée des sémantiques d'attributs relatives à sudo, cf. " +"<citerefentry><refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "OPTIONS AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1611 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" -"<emphasis>demand</emphasis> : le certificat serveur est demandé. Si aucun " -"certificat ou un mauvais certificat est fourni, la session se termine " -"immédiatement." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> : identique à <quote>demand</quote>" +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Par défaut : hard" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (chaîne)" +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." +msgstr "Le nom de la table de montage automatique maîtresse dans LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 -msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." -msgstr "" -"Définit le fichier qui contient les certificats pour toutes les autorités de " -"certification que <command>sssd</command> reconnaîtra." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "Par défaut : auto.master" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 -msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" -msgstr "" -"Par défaut : utilise les paramètres par défaut de OpenLDAP, en général dans " -"<filename>/etc/openldap/ldap.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "OPTIONS AVANCÉES" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 -msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." -msgstr "" -"Spécifie le chemin d'un dossier qui contient les certificats de l'autorité " -"de certificats dans des fichiers séparés. Usuellement, les noms de fichiers " -"sont la somme de contrôle du certificat suivi de « .0 ». Si disponible, " -"<command>cacertdir_rehash</command> peut être utilisé pour créer les noms " -"corrects." +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (chaînes)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." -msgstr "Définit le fichier qui contient le certificat pour la clef du client." +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (chaînes)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "Définit le fichier qui contient la clef du client." +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (chaînes)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" +msgstr "<note>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (booléen)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" +msgstr "</note>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." -msgstr "" -"Définit le fait que le fournisseur d'identité de connexion doit aussi " -"utiliser <systemitem class=\"protocol\">tls</systemitem> pour protéger le " -"canal." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (boolean)" +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (string)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -"Indique que SSSD doit tenter de trouver les correspondances des ID " -"d'utilisateur et de groupe dans les attributs ldap_user_objectsid et " -"ldap_group_objectsid au lieu d'utiliser ldap_user_uid_number et " -"ldap_group_gid_number." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." -msgstr "" -"Cette fonctionnalité ne prend actuellement en charge que la correspondance " -"par objectSID avec Active Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPLE" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et que LDAP " +"pointe sur un des domaines de la section <replaceable>[domains]</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Au contraire de la mise en correspondance d'identifiants s'appuyant sur les " -"SID utilisée si ldap_id_mapping est positionné à true, les plages " -"d'identifiants autorisés pour ldap_user_uid_number et ldap_group_gid_number " -"n'ont pas de limite. Dans une configuration avec des sous-domaines ou des " -"domaines approuvés, cela peut engendrer des collisions. Pour les éviter, " -"ldap_min_id et ldap_max_id peuvent être configurés afin de restreindre les " -"plages d'identifiants autorisées lues directement depuis le serveur. Les " -"sous-domaines peuvent ensuite choisir d'autres plages pour leurs propres " -"identifiants." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" -msgstr "Par défaut : non indiqué (les deux options sont à 0)" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (chaîne)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 -msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 #, no-wrap msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" +"Les descriptions de quelques unes des options de configuration des pages de " +"manuel sont basées sur le manuel de <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> de la distribution " +"de OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "Par défaut : host/hostname@REALM" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (chaîne)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Module PAM pour SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -"Spécifie le domaine SASL à utiliser. Si non spécifié, cette option prend par " -"défaut la valeur de krb5_realm. Si le ldap_sasl_authid contient aussi le " -"domaine, cette option est ignorée." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "Par défaut : la valeur de krb5_realm." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (booléen)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -"Si true, la bibliothèque LDAP effectue une recherche inversée pour canoniser " -"le nom de l'hôte au cours d'une liaison SASL." +"<command>pam_sss.so</command> est l'interface PAM pour le démon des services " +"de sécurité système (SSSD). Les erreurs et résultats sont journalisés par " +"<command>syslog(3)</command> avec l'argument LOG_AUTHPRIV." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Défaut : false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "Supprimer les messages de journal pour les utilisateurs inconnus." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -"Par défaut : le fichier keytab du système, normalement <filename>/etc/krb5." -"keytab</filename>" +"Si <option>forward_pass</option> est défini, le mot de passe saisi est " +"inséré en mémoire pour les autres modules PAM utilisés." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (booléen)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" +"L'argument use_first_pass force le module à utliser un module de mot de " +"passe déjà en mémoire et n'en fera jamais la demande à l'utilisateur. Si " +"aucun mot de passe n'est disponible ou que celui-ci n'est pas approprié, " +"l'utilisateur verra son accès refusé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (entier)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" +"Lorsque le changement de mot de passe force le module à modifier le mot de " +"passe par celui fourni par un module de mot de passe déjà chargé en mémoire." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Par défaut : 86400 (24 heures)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -"Spécifie par ordre de préférence la liste séparée par des virgules des " -"adresses IP ou des noms de systèmes des serveurs Kerberos auquel SSSD doit " -"se connecter. Pour plus d'informations sur la redondance de bascule et la " -"redondance de serveur, consulter la section <quote>BASCULE</quote>. Un " -"numéro de port facultatif (précédé de deux-points) peut être ajouté aux " -"adresses ou aux noms de systèmes. Si vide, la découverte de services est " -"activée - pour plus d'informations, se reporter à la section de " -"<quote>DÉCOUVERTE DE SERVICES</quote>." +"Si définit, on demande le mot de passe à l'utilisateur encore N fois si " +"l'authentification échoue. Par défaut : 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -"Lors de l'utilisation de découverte de services pour le KDC ou les serveurs " -"kpasswd, SSSD recherche en premier les entrées DNS qui définissent _udp " -"comme protocole, et passe sur _tcp si aucune entrée n'est trouvée." +"Veuillez noter que cette option peut ne pas fonctionner comme attendu si " +"l'application qui appelle PAM gère lui-même les dialogues avec " +"l'utilisateur. Un exemple typique est <command>sshd</command> avec " +"<option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -"Cette option s'appelait <quote>krb5_kdcip</quote> dans les versions " -"précédentes de SSSD. Bien que ce nom soit toujours reconnu à l'heure " -"actuelle, il est conseillé de migrer les fichiers de configuration vers " -"l'utilisation de <quote>krb5_server</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -"Par défaut : valeur par défaut du système, voir <filename>/etc/krb5.conf</" -"filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (booléen)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -"Spécifie si le principal de l'hôte doit être rendu canonique lors de la " -"connexion au serveur LDAP. Cette fonctionnalité est disponible avec MIT " -"Kerberos > = 1.7" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (booléen)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -"Indique si SSSD doit préciser aux bibliothèques Kerberos quels domaine et " -"KDC utiliser. Cette option est activée par défaut, si elle est désactivée, " -"la bibliothèque Kerberos doit être configurée à l'aide du fichier de " -"configuration <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 -msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." -msgstr "" -"Consulter la page de manuel de <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry> pour plus d'informations sur le greffon de " -"localisation." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -"Détermine la politique d'expiration des mots de passe côté client. Les " -"valeurs suivantes sont acceptées :" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -"<emphasis>none</emphasis> : aucun évaluation du côté client. Cette option ne " -"peut pas désactiver la politique sur les mots de passe du côté serveur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -"<emphasis>shadow</emphasis> - Utiliser les attributs de style " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> pour évaluer si le mot de passe a expiré." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -"<emphasis>mit_kerberos</emphasis> : utilise les attributs utilisés par MIT " -"Kerberos pour déterminer si le mot de passe a expiré. Utiliser " -"chpass_provider=krb5 afin de modifier ces attributs lorsque le mot de passe " -"est changé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -"<emphasis>Note</emphasis> : si une politique de mots de passe est configurée " -"côté serveur, elle prend le pas sur la politique indiquée avec cette option." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (booléen)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." -msgstr "Définit si le déréférencement automatique doit être activé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -"Veuillez noter que sssd ne supporte que le déréférencement que lorsqu'il est " -"compilé avec OpenLDAP version 2.4.13 ou supérieur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -"La déréférenciation de références peut subir une altération notable des " -"performances dans les environnements qui les utilisent fortement, un exemple " -"notable étant Microsoft Active Directory. Si votre installation ne nécessite " -"pas l'utilisation des références, affecter false à cette option devrait " -"permettre d'améliorer de façon notable les performances." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -"Définit le nom de service à utiliser quand la découverte de services est " -"activée." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Par défaut : ldap" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Définit le nom de service à utiliser pour trouver un serveur LDAP autorisant " -"un changement de mot de passe quand la découverte de services est activée." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 +msgid "" +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -"Par défaut : non défini, c'est-à-dire que le service de découverte est " -"désactivé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "TYPES DE MODULES FOURNIS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -"Spécifie s'il faut mettre à jour l'attribut ldap_user_shadow_last_change " -"avec le nombre de jours depuis Epoch après l'opération de changement de mot " -"de passe." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (chaîne)" +"Tous les types de module (<option>account</option>, <option>auth</option>, " +"<option>password</option> et <option>session</option>) sont fournis." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Exemple :" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "FICHIERS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"Si une réinitialisation par root d'un mot de passe échoue parce que le " +"fournisseur SSSD correspondant ne prend pas en charge la réinitialisation de " +"mot de passe, un message spécifique peut être affiché. Ce message peut, par " +"exemple, contenir les instructions permettant la réinitialisation." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"Cet exemple signifie que l'accès à cet hôte est restreint aux utilisateurs " -"dont l'attribut employeeType est « admin »." +"Le message est lu depuis le fichier <filename>pam_sss_pw_reset_message.LOC</" +"filename> où LOC représente une chaîne de paramètres régionaux retournée par " +"<citerefentry><refentrytitle>setlocale</refentrytitle> <manvolnum>3</" +"manvolnum></citerefentry>. Si il n'y a aucun fichier correspondant, le " +"contenu de <filename>pam_sss_pw_reset_message.txt</filename> est affiché. " +"L'utilisateur root doit être le propriétaire des fichiers et seul root peut " +"avoir les autorisations en lecture et en écriture alors que tous les autres " +"utilisateurs doivent avoir les autorisations en lecture seule." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" +"Ces fichiers sont recherchés dans le dossier <filename>/etc/sssd/customize/" +"NOM_DE_DOMAINE/</filename>. Si aucun fichier correspondant n'est présent, un " +"message spécifique est affiché." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "Par défaut : vide" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (chaîne)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." -msgstr "" -"Avec cette option une évaluation du côté client des contrôles d'accès peut " -"être activée." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Greffon de localisation Kerberos" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -"Veuillez noter qu'il est toujours recommandé d'utiliser un contrôle d'accès " -"du côté serveur, c'est-à-dire que le serveur LDAP doit refuser une requête " -"de connexion avec un code erreur approprié même si le mot de passe est " -"correct." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "Les valeurs suivantes sont autorisées :" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -"<emphasis>shadow</emphasis> : utiliser la valeur de ldap_user_shadow_expire " -"pour déterminer si le compte a expiré." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -"<emphasis>ad</emphasis> : utilise la valeur du champ 32 bits " -"ldap_user_ad_user_account_control et autorise l'accès si le deuxième bit " -"n'est pas défini. Si l'attribut est manquant, l'accès est autorisé. La date " -"d'expiration du compte est aussi vérifiée." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 -msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis> : utilise la valeur de ldap_ns_account_lock afin de vérifier si " -"l'accès est autorisé ou non." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 -msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -"<emphasis>nds</emphasis> : les valeurs de " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled et " -"ldap_user_nds_login_expiration_time sont utilisées pour vérifier si l'accès " -"est autorisé. Si les deux attributs sont manquants, l'accès est autorisé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -"Noter que l'option de configuration ldap_access_order <emphasis>doit</" -"emphasis> inclure <quote>expire</quote> de façon à permettre à l'option " -"ldap_account_expire_policy de fonctionner." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -"Liste séparées par des virgules des options de contrôles d'accès. Les " -"valeurs autorisées sont :" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filter</emphasis> : utiliser ldap_access_filter" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 -msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "<emphasis>expire</emphasis>: utiliser ldap_account_expire_policy" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" +"Toutes les versions de Kerberos ne prennent en charge l'utilisation de " +"greffons. Si <command>sssd_krb5_locator_plugin</command> n'est pas présent " +"sur votre système, il faut modifier /etc/krb5.conf pour s'adapter à la " +"configuration de Kerberos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" +"Si la variable d'environnement SSSD_KRB5_LOCATOR_DEBUG a une valeur " +"quelconque, des messages de débogage seront envoyés sur la sortie standard " +"d'erreur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -"<emphasis>authorized_service</emphasis> : utiliser l'attribut " -"authorizedService pour déterminer l'accès" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" -msgstr "" -"<emphasis>host</emphasis> : utilise l'attribut host pour déterminer l'accès" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 -msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" +"le fichier de configuration pour le fournisseur de contrôle d'accès « " +"simple » de SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" +"Cette page de manuel décrit la configuration du fournisseur de contrôle " +"d'accès simple de <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Pour plus de détails sur la " +"syntaxe, cf. la section <quote>FORMAT DE FICHIER</quote> de la page de " +"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Par défaut : filter" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -"Veuillez noter qu'une valeur utilisée plusieurs fois résulte en une erreur " -"de configuration." +"Le fournisseur d'accès simple autorise les accès à partir de listes " +"d'autorisation ou de refus de noms d'utilisateurs ou de groupes. Les règles " +"suivantes s'appliquent :" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" -msgstr "ldap_pwdlockout_dn (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Si toutes les listes sont vides, l'accès est autorisé" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" +"Si une liste est fournie, quelle qu'elle soit, l'ordre d'évaluation est " +"allow,deny. Autrement dit une règle de refus écrasera une règle " +"d'autorisation." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" -msgstr "Exemple : cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"Si la ou les listes fournies sont seulement de type « allow », tous les " +"utilisateurs sont refusés à moins qu'ils ne soient dans la liste." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" +"Si seulement les listes « deny » sont utilisées, tous les utlisateurs sont " +"autorisés à moins qu'ils ne soient dans la liste." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (chaînes)" +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 -msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" -"Définit comment le déréférencement de l'alias est effectué lors d'une " -"recherche. Les options suivantes sont autorisées :" +"Liste séparée par des virgules d'utilisateurs autorisés à se connecter." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." -msgstr "<emphasis>never</emphasis> : les alias ne sont jamais déréférencés." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" -"<emphasis>searching</emphasis> : Les alias sont déréférencés comme des " -"subordonnés de l'objet de base, mais pas en localisant l'objet de base de la " -"recherche." +"Liste séparée par des virgules d'utilisateurs dont l'accès sera refusé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#: sssd-simple.5.xml:100 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -"<emphasis>finding</emphasis> : les alias sont seulement déréférencés lors de " -"la localisation de l'objet de base de la recherche." +"Liste séparée par des virgules de groupes autorisés à se connecter. Ceci ne " +"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " +"pas pris en compte." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -"<emphasis>always</emphasis> : les alias sont déréférencés à la fois pour la " -"recherche et et la localisation de l'objet de base de la recherche." +"Liste séparée par des virgules de groupes dont l'accès sera refusé. Ceci ne " +"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " +"pas pris en compte." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Par défaut : vide (ceci est traité comme <emphasis>never</emphasis> par les " -"bibliothèques clientes LDAP)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (booléen)" +"Se référer à la section <quote>SECTIONS DE DOMAINE</quote> de la page de " +"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour les détails sur la configuration d'un " +"domaine SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -"Permet de conserver les utilisateurs locaux en tant que membres d'un groupe " -"LDAP pour les serveurs qui utilisent le schéma RFC2307." +"Ne spécifier aucune valeur pour aucune des listes revient à l'ignorer " +"complètement. Se méfier de ceci lors de la création des paramètres pour le " +"fournisseur simple à l'aide automatique de scripts." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -"Dans certains environnements où le schéma RFC2307 est utilisé, les " -"utilisateurs locaux deviennent membres du groupes LDAP en ajoutant leurs " -"noms à l'attribut memberUid. La cohérence du domaine est compromise quand " -"cela est fait, SSSD supprimerait normalement les utilisateurs « disparus » " -"des appartenances aux groupes mises en cache dès que nsswitch essaie de " -"récupérer des informations sur l'utilisateur via des appels à getpw*() ou " -"initgoups()." +"Veuillez noter que la configuration simultanée de simple_allow_users et " +"simple_deny_users est une erreur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -"Cette option vérifie en dernier recours si les utilisateurs locaux sont " -"référencés et les met en cache afin que des appels ultérieurs à initgoups() " -"ajoutent les utilisateurs locaux aux groupes LDAP." +"L'exemple suivant suppose que SSSD est correctement configuré et que example." +"com est un des domaines dans la section <replaceable>[sssd]</replaceable>. " +"Ces exemples montrent seulement les options spécifiques du fournisseur " +"d'accès simple." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#: sss-certmap.5.xml:23 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -"Toutes les options de configuration communes appliquées aux domaines SSSD " -"s'appliquent aussi aux domaines LDAP. Voir la section des <quote>SECTIONS DE " -"DOMAINE</quote> dans la page de manuel <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour plus de " -"détails. <placeholder type=\"variablelist\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "OPTIONS DE SUDO" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#: sss-certmap.5.xml:28 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." -msgstr "La classe d'objet d'une entrée de règle de sudo dans LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "Par défaut : sudoRole" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." -msgstr "L'attribut LDAP qui correspond au nom de la règle de sudo." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "L'attribut LDAP qui correspond au nom de la commande." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "Par défaut : sudoCommand" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -"L'attribut LDAP qui correspond au nom d'hôte (ou adresse IP de l'hôte, " -"réseau IP de l'hôte ou netgroup de l'hôte)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "Par défaut : sudoHost" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (string)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -"L'attribut LDAP qui correspond au nom d'utilisateur (ou UID, le nom du " -"groupe ou netgroup de l'utilisateur)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "Par défaut : sudoUser" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." -msgstr "L'attribut LDAP qui correspond aux options sudo." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "Par défaut : sudoOption" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -"L'attribut LDAP qui correspond aux commandes peuvent être exécutées sous le " -"nom d'utilisateur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "Par défaut : sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -"L'attribut LDAP qui correspond au nom du groupe ou GID du groupe sous lequel " -"les commandes seront être exécutées." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "Par défaut : sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -"L'attribut LDAP qui correspond à la date/heure de début pour laquelle la " -"règle sudo est valide." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "Par défaut : sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -"L'attribut LDAP qui correspond à la date/heure d'expiration, après quoi la " -"règle sudo ne sera plus valide." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "Par défaut : sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." -msgstr "L'attribut LDAP qui correspond à l'index de tri de la règle." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "Par défaut : sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -"La durée en secondes pendant laquelle SSSD va attendre entre deux " -"actualisations complètes des règles de sudo (qui téléchargent toutes les " -"règles qui sont stockées sur le serveur)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -"La valeur doit être supérieure à <emphasis>ldap_sudo_smart_refresh_interval</" -"emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "Par défaut : 21600 (6 heures)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -"Si les attributs USN ne sont pas pris en charge par le serveur, l'attribut " -"modifyTimestamp est utilisé à la place." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (boolean)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -"Si true, SSSD téléchargera les seules règles qui s'appliquent à cette " -"machine (à l'aide de l'adresse de système ou de réseau IPv4 ou IPv6 et des " -"noms de systèmes)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (string)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -"Liste séparés par des espaces des noms de systèmes ou de domaines qui " -"doivent être utilisés pour filtrer les règles." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -"Si cette option est vide, SSSD va essayer de découvrir automatiquement le " -"nom de système et le nom de domaine pleinement qualifié." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -"Si <emphasis>ldap_sudo_use_host_filter</emphasis> est <emphasis>false</" -"emphasis>, alors cette option n'a aucun effet." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "Par défaut : non spécifié" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (string)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -"Liste séparés par des espaces d'adresses de système ou de réseaux IPv4 ou " -"IPv6 qui doivent être utilisés pour filtrer les règles." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -"Si cette option est vide, SSSD va essayer de découvrir les adresses " -"automatiquement." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -"Si elle est vraie alors SSSD téléchargera toutes les règles qui contient un " -"netgroup dans l'attribut sudoHost." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -"Si positionnée à true, SSSD téléchargera toutes les règles qui contiennent " -"un joker dans l'attribut sudoHost." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 -msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -"Cette page de manuel décrit uniquement le mappage de noms d'attribut. Pour " -"une explication détaillée des sémantiques d'attributs relatives à sudo, cf. " -"<citerefentry><refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "OPTIONS AUTOFS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" -msgstr "ldap_autofs_map_master_name (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." -msgstr "Le nom de la table de montage automatique maîtresse dans LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" -msgstr "Par défaut : auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -"La classe d'objet d'une entrée de table de montage automatique dans LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." -msgstr "Le nom d'une entrée de table de montage automatique dans LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 -msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 -msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -"La clé d'une entrée de montage automatique dans LDAP. L'entrée correspond " -"généralement à un point de montage." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 -msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "OPTIONS AVANCÉES" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (chaînes)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (chaînes)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (chaînes)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" -msgstr "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" -msgstr "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 -msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "EXEMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -"L'exemple suivant suppose que SSSD est correctement configuré et que LDAP " -"pointe sur un des domaines de la section <replaceable>[domains]</" -"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 -msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 -msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -"Les descriptions de quelques unes des options de configuration des pages de " -"manuel sont basées sur le manuel de <citerefentry> <refentrytitle>ldap.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> de la distribution " -"de OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "Module PAM pour SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 -msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -"<command>pam_sss.so</command> est l'interface PAM pour le démon des services " -"de sécurité système (SSSD). Les erreurs et résultats sont journalisés par " -"<command>syslog(3)</command> avec l'argument LOG_AUTHPRIV." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "Supprimer les messages de journal pour les utilisateurs inconnus." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Si <option>forward_pass</option> est défini, le mot de passe saisi est " -"inséré en mémoire pour les autres modules PAM utilisés." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 -msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -"L'argument use_first_pass force le module à utliser un module de mot de " -"passe déjà en mémoire et n'en fera jamais la demande à l'utilisateur. Si " -"aucun mot de passe n'est disponible ou que celui-ci n'est pas approprié, " -"l'utilisateur verra son accès refusé." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -"Lorsque le changement de mot de passe force le module à modifier le mot de " -"passe par celui fourni par un module de mot de passe déjà chargé en mémoire." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -"Si définit, on demande le mot de passe à l'utilisateur encore N fois si " -"l'authentification échoue. Par défaut : 0." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -"Veuillez noter que cette option peut ne pas fonctionner comme attendu si " -"l'application qui appelle PAM gère lui-même les dialogues avec " -"l'utilisateur. Un exemple typique est <command>sshd</command> avec " -"<option>PasswordAuthentication</option>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" -msgstr "<option>ignore_unknown_user</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" -msgstr "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 -msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "TYPES DE MODULES FOURNIS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 -msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -"Tous les types de module (<option>account</option>, <option>auth</option>, " -"<option>password</option> et <option>session</option>) sont fournis." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "FICHIERS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -"Si une réinitialisation par root d'un mot de passe échoue parce que le " -"fournisseur SSSD correspondant ne prend pas en charge la réinitialisation de " -"mot de passe, un message spécifique peut être affiché. Ce message peut, par " -"exemple, contenir les instructions permettant la réinitialisation." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -"Le message est lu depuis le fichier <filename>pam_sss_pw_reset_message.LOC</" -"filename> où LOC représente une chaîne de paramètres régionaux retournée par " -"<citerefentry><refentrytitle>setlocale</refentrytitle> <manvolnum>3</" -"manvolnum></citerefentry>. Si il n'y a aucun fichier correspondant, le " -"contenu de <filename>pam_sss_pw_reset_message.txt</filename> est affiché. " -"L'utilisateur root doit être le propriétaire des fichiers et seul root peut " -"avoir les autorisations en lecture et en écriture alors que tous les autres " -"utilisateurs doivent avoir les autorisations en lecture seule." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -"Ces fichiers sont recherchés dans le dossier <filename>/etc/sssd/customize/" -"NOM_DE_DOMAINE/</filename>. Si aucun fichier correspondant n'est présent, un " -"message spécifique est affiché." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" -msgstr "Greffon de localisation Kerberos" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 -msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -"Toutes les versions de Kerberos ne prennent en charge l'utilisation de " -"greffons. Si <command>sssd_krb5_locator_plugin</command> n'est pas présent " -"sur votre système, il faut modifier /etc/krb5.conf pour s'adapter à la " -"configuration de Kerberos." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -"Si la variable d'environnement SSSD_KRB5_LOCATOR_DEBUG a une valeur " -"quelconque, des messages de débogage seront envoyés sur la sortie standard " -"d'erreur." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -"le fichier de configuration pour le fournisseur de contrôle d'accès « " -"simple » de SSSD." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -"Cette page de manuel décrit la configuration du fournisseur de contrôle " -"d'accès simple de <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Pour plus de détails sur la " -"syntaxe, cf. la section <quote>FORMAT DE FICHIER</quote> de la page de " -"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -"Le fournisseur d'accès simple autorise les accès à partir de listes " -"d'autorisation ou de refus de noms d'utilisateurs ou de groupes. Les règles " -"suivantes s'appliquent :" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Si toutes les listes sont vides, l'accès est autorisé" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Si une liste est fournie, quelle qu'elle soit, l'ordre d'évaluation est " -"allow,deny. Autrement dit une règle de refus écrasera une règle " -"d'autorisation." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 -msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -"Si la ou les listes fournies sont seulement de type « allow », tous les " -"utilisateurs sont refusés à moins qu'ils ne soient dans la liste." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." -msgstr "" -"Si seulement les listes « deny » sont utilisées, tous les utlisateurs sont " -"autorisés à moins qu'ils ne soient dans la liste." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -"Liste séparée par des virgules d'utilisateurs autorisés à se connecter." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." -msgstr "" -"Liste séparée par des virgules d'utilisateurs dont l'accès sera refusé." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (chaîne)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Fournisseur IPA SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Liste séparée par des virgules de groupes autorisés à se connecter. Ceci ne " -"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " -"pas pris en compte." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (chaîne)" +"Cette page de manuel décrit la configuration du fournisseur IPA pour " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Pour une référence détaillée sur la syntaxe, veuillez " +"regarder la section <quote>FORMAT DE FICHIER</quote> de la page de manuel " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -"Liste séparée par des virgules de groupes dont l'accès sera refusé. Ceci ne " -"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " -"pas pris en compte." +"Le fournisseur IPA est le moteur pour se connecter à un serveur IPA. (Cf. le " +"site freeipa.org pour plus d'informations sur les serveurs IPA). Ce " +"fournisseur nécessite que la machine soit joignable pour le domaine IPA ; la " +"configuration est presque entièrement obtenue et auto-découverte à partir du " +"serveur." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +#: sssd-ipa.5.xml:43 msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -"Se référer à la section <quote>SECTIONS DE DOMAINE</quote> de la page de " -"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> pour les détails sur la configuration d'un " -"domaine SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#: sssd-ipa.5.xml:57 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -"Ne spécifier aucune valeur pour aucune des listes revient à l'ignorer " -"complètement. Se méfier de ceci lors de la création des paramètres pour le " -"fournisseur simple à l'aide automatique de scripts." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 +#: sssd-ipa.5.xml:62 msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -"Veuillez noter que la configuration simultanée de simple_allow_users et " -"simple_deny_users est une erreur." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 +#: sssd-ipa.5.xml:67 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -"L'exemple suivant suppose que SSSD est correctement configuré et que example." -"com est un des domaines dans la section <replaceable>[sssd]</replaceable>. " -"Ces exemples montrent seulement les options spécifiques du fournisseur " -"d'accès simple." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" +"Le fournisseur IPA utilisera le répondeur PAC si les tickets Kerberos " +"d'utilisateurs de domaines Kerberos approuvés contiennent un PAC. Pour " +"rendre la configuration plus facile, le répondeur PAC est démarré " +"automatiquement si le fournisseur d'ID de IPA est configuré." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" +"Définit le nom du domaine IPA. Facultatif, s'il n'est pas fourni, le nom de " +"domaine de la configuration est utilisé." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (string)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" +"La liste par ordre de préférence séparée par des virgules des adresses IP ou " +"des noms de systèmes des serveurs IPA auxquels SSSD doit se connecter . Pour " +"plus d'informations sur la redondance de serveurs et la bascule, consulter " +"la section <quote>BASCULE</quote>. Ceci est facultatif si la découverte " +"automatique est activée. Pour plus d'informations sur la découverte de " +"services, se reporter à la section de <quote>DÉCOUVERTE DE SERVICE</quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" +"NOTE : Sur les systèmes plus anciens (tels que RHEL 5), afin que ce " +"comportement fonctionne de façon fiable, le domaine Kerberos par défaut doit " +"être défini correctement dans /etc/krb5.conf" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" +"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " +"<emphasis>ipa_dyndns_update</emphasis>, les utilisateurs doivent maintenant " +"utiliser <emphasis>dyndns_update</emphasis> dans leur fichier de " +"configuration." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" +"Le TTL à appliquer à l'enregistrement du client DNS lors de sa mise à jour. " +"Si dyndns_update a la valeur false, cela n'a aucun effet. Cela remplacera le " +"TTL côté serveur s'il est défini par un administrateur." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" +"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " +"<emphasis>ipa_dyndns_ttl</emphasis>, les utilisateurs doivent maintenant " +"utiliser <emphasis>dyndns_ttl</emphasis> dans leur fichier de configuration." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Par défaut : 1200 (secondes)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 -msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (chaîne)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" +"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " +"<emphasis>ipa_dyndns_iface</emphasis>, les utilisateurs doivent maintenant " +"utiliser <emphasis>dyndns_iface</emphasis> dans leur fichier de " +"configuration." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (booléen)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "Active les sites DNS - découverte de service basée sur l'emplacement" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" +"Si true et que la découverte de service (cf. le paragraphe Découverte de " +"service au bas de la page de manuel) est activée, alors SSSD tentera d'abord " +"une découverte basée sur l'emplacement en utilisant une requête contenant " +"« _location.hostname.example.com », puis reviendra à une découverte SRV " +"traditionnelle. Si la découverte basée sur l'emplacement réussit, les " +"serveurs IPA ainsi découverts sont traités comme serveurs primaires, et les " +"serveurs identifiés via la découverte basée sur les enregistrements SRV " +"seront utilisés comme serveurs de repli" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (entier)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" +"Fréquence de mise à jour des DNS par le moteur en plus des mises à jour " +"automatiques effectuées lorsque le moteur arrive en ligne. Cette option est " +"facultative, et n'est applicable que lorsque l'option dyndns_update est " +"configurée à true." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (booléen)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" +"Selon que l'enregistrement PTR doit être explicitement mis à jour lors de la " +"mise à jour des enregistrements DNS du client. Applicable uniquement lorsque " +"l'option dyndns_update est configurée à true." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" +"Cette option doit être positionnée à False pour la plupart des déploiements " +"IPA, puisque le serveur IPA crée les enregistrements PTR automatiquement " +"quand les enregistrements directs sont modifiés." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Par défaut : False (désactivé)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (booléen)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" +"Selon que l'utilitaire nsupdate doit utiliser TCP par défaut pour la " +"communication avec le serveur DNS." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Par défaut : False (laisser nsupdate choisir le protocole)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 +msgid "" +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Par défaut : utilise le DN de base" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (chaîne)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 -msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" +"Facultatif. Utilise la chaîne donnée comme base de recherche pour les objets " +"HBAC associés." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 -msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche pour les " +"mappages utilisateur SELinux." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche pour les " +"domaines approuvés." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Par défaut : la valeur de <emphasis>cn=trusts,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche objet de " +"domaine maître." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Par défaut : la valeur de <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (chaîne)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" +"Le nom du domaine Kerberos. Facultatif, prend comme valeur par défaut la " +"valeur de <quote>ipa_domain</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" +"Le nom du domaine Kerberos a une signification spéciale dans IPA. Il est " +"convertit en DN de base pour effectuer les opérations LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "Par défaut : 5 (secondes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" +"Le temps entre deux recherches de règles HBAC sur un serveur IPA. Cela " +"permet de réduire le temps de latence et la charge du serveur IPA si il y a " +"beaucoup de requêtes de contrôle d'accès sur une courte période." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" +"Le temps entre les recherches de cartes SELinux sur un serveur IPA. Cela " +"réduit le temps de latence et la charge du serveur IPA s'il y a beaucoup de " +"requêtes de connexions utilisateurs sur une courte période." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" +msgstr "L'emplacement à automonter qu'utilisera ce client IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" +msgstr "Par défaut : Le lieu nommé « default »" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (chaîne)" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Par défaut : cn" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" -msgstr "" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#: sssd-ipa.5.xml:643 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" -msgstr "" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#: sssd-ipa.5.xml:656 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 -msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 -msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 -msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 -msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 -msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 -msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (chaîne)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#: sssd-ipa.5.xml:696 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 -msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 -msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" +msgstr "FOURNISSEURS DE SOUS-DOMAINES" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" +"Le fournisseur de sous-domaines IPA se comporte un peu différemment s'il est " +"configuré explicitement ou implicitement." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" +"Si l'option « subdomains_provider = ipa » se trouve dans la section domaine " +"de sssd.conf, le fournisseur de sous-domaines d'IPA est configuré " +"explicitement, et toutes les demandes de sous-domaines sont envoyées au " +"serveur IPA si nécessaire." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" +"Si l'option « subdomains_provider » n'est pas définie dans la section " +"domaine de sssd.conf, mais qu'il y a l'option « id_provider = ipa », le " +"fournisseur de sous-domaines IPA est configuré implicitement. Dans ce cas, " +"si une demande de sous-domaine échoue et indique que le serveur ne prend pas " +"en charge les sous-domaines, c'est-à-dire qu'il n'est pas configuré pour les " +"relations d'approbations, le fournisseur de sous-domaines IPA est désactivé. " +"Après une heure ou après que le fournisseur IPA arrive en ligne, le " +"fournisseur de sous-domaines est à nouveau activé." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 -msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 -msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 -msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 -msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 -msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 -msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 -msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 -msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 -msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 -msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#: sssd-ipa.5.xml:821 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et example.com " +"est un des domaines de la section <replaceable>[sssd]</replaceable>. Ces " +"exemples montrent seulement les options spécifiques au fournisseur IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" -msgstr "Fournisseur IPA SSSD" +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "Fournisseur Active Directory SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#: sssd-ad.5.xml:23 msgid "" -"This manual page describes the configuration of the IPA provider for " +"This manual page describes the configuration of the AD provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Cette page de manuel décrit la configuration du fournisseur IPA pour " +"Cette page de manuel décrit la configuration du fournisseur AD pour " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Pour une référence détaillée sur la syntaxe, veuillez " -"regarder la section <quote>FORMAT DE FICHIER</quote> de la page de manuel " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"</citerefentry>. Pour une référence détaillée sur la syntaxe, cf. la section " +"<quote>FORMAT DE FICHIER</quote> de la page de manuel <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#: sssd-ad.5.xml:36 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -"Le fournisseur IPA est le moteur pour se connecter à un serveur IPA. (Cf. le " -"site freeipa.org pour plus d'informations sur les serveurs IPA). Ce " -"fournisseur nécessite que la machine soit joignable pour le domaine IPA ; la " -"configuration est presque entièrement obtenue et auto-découverte à partir du " -"serveur." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#: sssd-ad.5.xml:44 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" +"Le fournisseur AD prend en charge la connexion à Active Directory 2008 R2 ou " +"ultérieures. Les versions antérieures peuvent fonctionner, mais ne sont pas " +"supportées." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " "provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#: sssd-ad.5.xml:69 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " +"The AD provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#: sssd-ad.5.xml:74 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#: sssd-ad.5.xml:79 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" "quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." -msgstr "" -"Le fournisseur IPA utilisera le répondeur PAC si les tickets Kerberos " -"d'utilisateurs de domaines Kerberos approuvés contiennent un PAC. Pour " -"rendre la configuration plus facile, le répondeur PAC est démarré " -"automatiquement si le fournisseur d'ID de IPA est configuré." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"ldap_id_mapping = False\n" +" " msgstr "" -"Définit le nom du domaine IPA. Facultatif, s'il n'est pas fourni, le nom de " -"domaine de la configuration est utilisé." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (string)" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -"La liste par ordre de préférence séparée par des virgules des adresses IP ou " -"des noms de systèmes des serveurs IPA auxquels SSSD doit se connecter . Pour " -"plus d'informations sur la redondance de serveurs et la bascule, consulter " -"la section <quote>BASCULE</quote>. Ceci est facultatif si la découverte " -"automatique est activée. Pour plus d'informations sur la découverte de " -"services, se reporter à la section de <quote>DÉCOUVERTE DE SERVICE</quote>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" -msgstr "dyndns_update (booléen)" +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:126 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" +"Spécifie le nom du domaine Active Directory. Ceci est facultatif. S'il " +"n'est pas fourni, le nom de domaine de la configuration est utilisé." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#: sssd-ad.5.xml:131 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -"NOTE : Sur les systèmes plus anciens (tels que RHEL 5), afin que ce " -"comportement fonctionne de façon fiable, le domaine Kerberos par défaut doit " -"être défini correctement dans /etc/krb5.conf" +"Pour un fonctionnement correct, cette option doit être le nom long du " +"domaine Active Directory, spécifié en minuscules." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:136 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " -"<emphasis>ipa_dyndns_update</emphasis>, les utilisateurs doivent maintenant " -"utiliser <emphasis>dyndns_update</emphasis> dans leur fichier de " -"configuration." +"Le nom de domaine court (aussi connu comme le nom NetBIOS ou nom plat) est " +"autodétecté par SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" -msgstr "dyndns_ttl (entier)" +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:146 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -"Le TTL à appliquer à l'enregistrement du client DNS lors de sa mise à jour. " -"Si dyndns_update a la valeur false, cela n'a aucun effet. Cela remplacera le " -"TTL côté serveur s'il est défini par un administrateur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " -"<emphasis>ipa_dyndns_ttl</emphasis>, les utilisateurs doivent maintenant " -"utiliser <emphasis>dyndns_ttl</emphasis> dans leur fichier de configuration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "Par défaut : 1200 (secondes)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "dyndns_iface (chaîne)" +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:160 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (string)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:173 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " -"<emphasis>ipa_dyndns_iface</emphasis>, les utilisateurs doivent maintenant " -"utiliser <emphasis>dyndns_iface</emphasis> dans leur fichier de " -"configuration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:180 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" -msgstr "" +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:196 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" +"Facultatif. Peut être défini sur les machines où le hostname(5) ne reflète " +"pas le nom pleinenent qualifié utilisé dans le domaine Active Directory pour " +"identifier ce système." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" +"Ce champ est utilisé pour déterminer le principal d'hôte utilisé dans un " +"fichier keytab. Elle doit correspondre au nom du système pour lequel a été " +"publié un fichier keytab." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" -msgstr "ipa_enable_dns_sites (booléen)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." -msgstr "Active les sites DNS - découverte de service basée sur l'emplacement" +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:217 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -"Si true et que la découverte de service (cf. le paragraphe Découverte de " -"service au bas de la page de manuel) est activée, alors SSSD tentera d'abord " -"une découverte basée sur l'emplacement en utilisant une requête contenant " -"« _location.hostname.example.com », puis reviendra à une découverte SRV " -"traditionnelle. Si la découverte basée sur l'emplacement réussit, les " -"serveurs IPA ainsi découverts sont traités comme serveurs primaires, et les " -"serveurs identifiés via la découverte basée sur les enregistrements SRV " -"seront utilisés comme serveurs de repli" +"Si configuré à true et que la découverte de service (cf. le paragraphe " +"Découverte de service au bas de la page de manuel) est activée, SSSD tentera " +"d'abord de découvrir le serveur Active Directory auquel se connecter en " +"utilisant Active Directory Site Discovery, puis se repliera sur " +"l'utilisation des enregistrements DNS SRV si aucun site AD n'est trouvé. La " +"configuration SRV du DNS, incluant la découverte de domaine, est aussi " +"utilisée pendant la découverte de site." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" -msgstr "dyndns_refresh_interval (entier)" +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:236 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -"Fréquence de mise à jour des DNS par le moteur en plus des mises à jour " -"automatiques effectuées lorsque le moteur arrive en ligne. Cette option est " -"facultative, et n'est applicable que lorsque l'option dyndns_update est " -"configurée à true." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" -msgstr "dyndns_update_ptr (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:244 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -"Selon que l'enregistrement PTR doit être explicitement mis à jour lors de la " -"mise à jour des enregistrements DNS du client. Applicable uniquement lorsque " -"l'option dyndns_update est configurée à true." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:252 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." -msgstr "" -"Cette option doit être positionnée à False pour la plupart des déploiements " -"IPA, puisque le serveur IPA crée les enregistrements PTR automatiquement " -"quand les enregistrements directs sont modifiés." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "Par défaut : False (désactivé)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "dyndns_force_tcp (booléen)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 -msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." -msgstr "" -"Selon que l'utilitaire nsupdate doit utiliser TCP par défaut pour la " -"communication avec le serveur DNS." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "Par défaut : False (laisser nsupdate choisir le protocole)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:260 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:265 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:278 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" -msgstr "" +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:311 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" -msgstr "" +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:325 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Par défaut : utilise le DN de base" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -"Facultatif. Utilise la chaîne donnée comme base de recherche pour les objets " -"HBAC associés." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (string)" +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (string)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -"Facultatif. Utiliser la chaîne donnée comme base de recherche pour les " -"mappages utilisateur SELinux." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -"Facultatif. Utiliser la chaîne donnée comme base de recherche pour les " -"domaines approuvés." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" -msgstr "Par défaut : la valeur de <emphasis>cn=trusts,%basedn</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -"Facultatif. Utiliser la chaîne donnée comme base de recherche objet de " -"domaine maître." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "Par défaut : la valeur de <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 +msgid "" +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" -msgstr "ipa_views_search_base (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:401 +msgid "" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:417 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -"Le nom du domaine Kerberos. Facultatif, prend comme valeur par défaut la " -"valeur de <quote>ipa_domain</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" +msgstr "Il existe trois valeurs prises en charge pour cette option :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -"Le nom du domaine Kerberos a une signification spéciale dans IPA. Il est " -"convertit en DN de base pour effectuer les opérations LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" -msgstr "krb5_confd_path (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." -msgstr "" +#: sssd-ad.5.xml:463 +msgid "Default: permissive" +msgstr "Par défaut : permissive" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:475 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "Par défaut : 5 (secondes)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:495 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (entier)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (entier)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:515 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -"Le temps entre deux recherches de règles HBAC sur un serveur IPA. Cela " -"permet de réduire le temps de latence et la charge du serveur IPA si il y a " -"beaucoup de requêtes de contrôle d'accès sur une courte période." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (entier)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (chaîne)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:531 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"Le temps entre les recherches de cartes SELinux sur un serveur IPA. Cela " -"réduit le temps de latence et la charge du serveur IPA s'il y a beaucoup de " -"requêtes de connexions utilisateurs sur une courte période." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" -msgstr "ipa_server_mode (booléen)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:549 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 -msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 -msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" -msgstr "L'emplacement à automonter qu'utilisera ce client IPA" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" -msgstr "Par défaut : Le lieu nommé « default »" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" -msgstr "ipa_view_class (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (chaîne)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" -msgstr "ipa_view_name (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:663 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" -msgstr "ipa_anchor_uuid (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (chaîne)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:697 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" -msgstr "ipa_user_override_object_class (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (chaîne)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:755 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" -msgstr "ipa_group_override_object_class (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:790 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:808 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "FOURNISSEURS DE SOUS-DOMAINES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:852 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -"Le fournisseur de sous-domaines IPA se comporte un peu différemment s'il est " -"configuré explicitement ou implicitement." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" -"Si l'option « subdomains_provider = ipa » se trouve dans la section domaine " -"de sssd.conf, le fournisseur de sous-domaines d'IPA est configuré " -"explicitement, et toutes les demandes de sous-domaines sont envoyées au " -"serveur IPA si nécessaire." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:857 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Si l'option « subdomains_provider » n'est pas définie dans la section " -"domaine de sssd.conf, mais qu'il y a l'option « id_provider = ipa », le " -"fournisseur de sous-domaines IPA est configuré implicitement. Dans ce cas, " -"si une demande de sous-domaine échoue et indique que le serveur ne prend pas " -"en charge les sous-domaines, c'est-à-dire qu'il n'est pas configuré pour les " -"relations d'approbations, le fournisseur de sous-domaines IPA est désactivé. " -"Après une heure ou après que le fournisseur IPA arrive en ligne, le " -"fournisseur de sous-domaines est à nouveau activé." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap -msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:901 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:927 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:989 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1004 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" +"Facultatif. Cette option indique à SSSD de mettre à jour automatiquement le " +"serveur DNS intégré à IPA v2 avec l'adresse IP de ce client. La mise à jour " +"est sécurisée avec GSS-TSIG. Ainsi, l'administrateur Active Directory a " +"uniquement besoin d'activer les mises à jour sécurisées pour la zone DNS. " +"L'adresse IP de la connexion LDAP AD est utilisée pour les mises à jour, à " +"moins qu'elle ne soit spécifiée par l'utilisation de l'option " +"<quote>dyndns_iface</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" +msgstr "Par défaut : 3600 (secondes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Par défaut : True" + #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sssd-ad.5.xml:1211 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"This example shows only the AD provider-specific options." msgstr "" "L'exemple suivant suppose que SSSD est correctement configuré et example.com " "est un des domaines de la section <replaceable>[sssd]</replaceable>. Ces " -"exemples montrent seulement les options spécifiques au fournisseur IPA." +"exemples montrent seulement les options spécifiques au fournisseur AD." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 +#: sssd-ad.5.xml:1218 #, no-wrap msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "Fournisseur Active Directory SSSD" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -"Cette page de manuel décrit la configuration du fournisseur AD pour " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Pour une référence détaillée sur la syntaxe, cf. la section " -"<quote>FORMAT DE FICHIER</quote> de la page de manuel <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sssd-ad.5.xml:1234 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"Le fournisseur de contrôle d'accès AD vérifie si le compte a expiré. Cela a " +"le même effet que la configuration suivante du fournisseur LDAP : " +"<placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#: sssd-ad.5.xml:1244 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -"Le fournisseur AD prend en charge la connexion à Active Directory 2008 R2 ou " -"ultérieures. Les versions antérieures peuvent fonctionner, mais ne sont pas " -"supportées." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sssd-ad.5.xml:1252 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Configuration de sudo avec le moteur SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#: sssd-sudo.5.xml:23 msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" +"Cette page de manuel décrit comment configurer " +"<citerefentry><refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> pour travailler avec <citerefentry><refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum></citerefentry> et comment SSSD met " +"en cache les règles sudo." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Configuration de sudo pour coopérer avec SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#: sssd-sudo.5.xml:38 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" +"Pour activer SSSD comme source pour les règles de sudo, ajouter " +"<emphasis>sss</emphasis> à l'entrée <emphasis>sudoers</emphasis> dans " +"<citerefentry><refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#: sssd-sudo.5.xml:47 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" +"Par exemple, pour configurer sudo pour rechercher d'abord les règles dans le " +"fichier standard <citerefentry><refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> (qui doit contenir les règles qui " +"s'appliquent aux utilisateurs locaux) et ensuite dans SSSD, le fichier " +"nsswitch.conf doit contenir la ligne suivante :" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 +#: sssd-sudo.5.xml:57 #, no-wrap -msgid "" -"ldap_id_mapping = False\n" -" " -msgstr "" -"ldap_id_mapping = False\n" -" " +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 +#: sssd-sudo.5.xml:61 msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" +"Plus d'informations sur la configuration de l'ordre de recherche de sudoers " +"depuis le fichier nsswitch.conf, mais aussi les informations sur le schéma " +"LDAP qui est utilisé pour stocker les règles sudo dans l'annuaire sont " +"disponibles dans <citerefentry><refentrytitle>sudoers.ldap</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#: sssd-sudo.5.xml:70 msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Configuration de SSSD pour aller chercher les règles de sudo" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -"Spécifie le nom du domaine Active Directory. Ceci est facultatif. S'il " -"n'est pas fourni, le nom de domaine de la configuration est utilisé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -"Pour un fonctionnement correct, cette option doit être le nom long du " -"domaine Active Directory, spécifié en minuscules." +"L'exemple suivant montre comment configurer SSSD pour télécharger les règles " +"sudo à partir d'un serveur LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." -msgstr "" -"Le nom de domaine court (aussi connu comme le nom NetBIOS ou nom plat) est " -"autodétecté par SSSD." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Le mécanisme de mise en cache de règles SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" +"Le plus grand défi lors du développement de la prise en charge de sudo dans " +"SSSD était de de s'assurer que l'utilisation d'un sudo exploitant SSSD comme " +"source de données fournissait la même expérience utilisateur et était aussi " +"rapide que sudo, tout en conservant le jeu de règles le plus à jour " +"possible. Pour satisfaire ces exigences, SSSD utilise trois types de mises à " +"jour. Elles sont appelées actualisation complète, rafraîchissement " +"intelligent et rafraîchissement des règles." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" +"Le <emphasis>rafraîchissement intelligent</emphasis> télécharge " +"périodiquement les règles qui sont nouvelles ou qui ont été modifiées après " +"la dernière mise à jour. Son but premier est d'éviter à la base de données " +"de grossir en allant chercher de petits incréments qui ne génèrent pas de " +"gros de trafic réseau." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" +"Le <emphasis>rafracîchissement complèt</emphasis> supprime simplement toutes " +"les règles sudo stockées dans le cache et les remplace par toutes les règles " +"qui sont stockées sur le serveur. Ceci est utilisé pour assurer la cohérence " +"de cache en supprimant toutes les règles qui ont été supprimées du serveur. " +"Cependant, un rafraîchissement complet peut produire beaucoup de trafic et " +"doit n'être exécuté qu'occasionnellement selon la taille et de la stabilité " +"des règles sudo." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" +"Le <emphasis>rafraîchissement des règles</emphasis> fait en sorte de ne pas " +"accorder à l'utilisateur plus d'autorisations que défini. Il est déclenché " +"chaque fois que l'utilisateur exécute sudo. L'actualisation des règles " +"trouvera toutes les règles qui s'appliquent à cet utilisateur, vérifie leur " +"date d'expiration et les retéléchargera si elles ont expiré. Dans le cas où " +"l'une de ces règles est manquante sur le serveur, SSSD programmera en " +"parallèle un rafraîchissement complet hors ligne car d'autres règles " +"(s'appliquant à d'autres utilisateurs) peuvent avoir été supprimées." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" +"Si activé, SSSD stocke uniquement les règles qui peuvent être appliquées à " +"cette machine. En d'autres termes, ce sont les règles qui contiennent une " +"des valeurs suivantes dans l'attribut de <emphasis>sudoHost</emphasis> :" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "mot-clé ALL" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." -msgstr "" -"Facultatif. Peut être défini sur les machines où le hostname(5) ne reflète " -"pas le nom pleinenent qualifié utilisé dans le domaine Active Directory pour " -"identifier ce système." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "joker" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 -msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "netgroup (sous la forme « +netgroup »)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -"Ce champ est utilisé pour déterminer le principal d'hôte utilisé dans un " -"fichier keytab. Elle doit correspondre au nom du système pour lequel a été " -"publié un fichier keytab." +"nom de système ou le nom de domaine pleinement qualifié de cette machine" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "ad_enable_dns_sites (booléen)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "une des adresses IP de cette machine" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "une des adresses IP du réseau (sous la forme « adresse/masque »)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"Si configuré à true et que la découverte de service (cf. le paragraphe " -"Découverte de service au bas de la page de manuel) est activée, SSSD tentera " -"d'abord de découvrir le serveur Active Directory auquel se connecter en " -"utilisant Active Directory Site Discovery, puis se repliera sur " -"l'utilisation des enregistrements DNS SRV si aucun site AD n'est trouvé. La " -"configuration SRV du DNS, incluant la découverte de domaine, est aussi " -"utilisée pendant la découverte de site." +"Il existe de nombreuses options de configuration qui peuvent être utilisées " +"pour ajuster le comportement. Consulter « ldap_sudo_ * » dans " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> et « sudo_ * » dans " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" -msgstr "ad_access_filter (chaîne)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" +"<command>SSSD</command> fournit un jeu de démons pour gérer l'accès à des " +"dossiers distants et les mécanismes d'authentification. Il fournit une " +"interface NSS et PAM au travers du système et un moteur système extensible " +"par greffons pour se connecter à de multiples comptes de sources différentes " +"en plus d'une interface D-Bus. C'est aussi un moyen de fournir un moyen " +"d'audit client et une politique de services pour les projets tels que " +"FreeIPA. Il fournit une base de donnée plus robuste pour stocker les " +"utilisateurs locaux ainsi que les données étendues des utilisateurs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 -msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" +"<emphasis>1</emphasis> : Ajouter un horodatage aux messages de débogage" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" +"<emphasis>0</emphasis> : Désactiver l'horodatage dans les messages de " +"débogage" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" -msgstr "ad_site (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" +"<emphasis>1</emphasis> : Ajouter les microsecondes à l'horodatage dans les " +"messages de débogage" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" -msgstr "ad_enable_gc (booléen)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" +"<emphasis>0</emphasis> : Désactiver les microsecondes dans l'horodatage" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" +"Envoie la sortie de débogage vers des fichiers plutôt que vers la sortie " +"d'erreur standard. Par défaut, les fichiers de sortie sont stockés dans " +"<filename>/var/log/sssd</filename> et des fichiers différents sont créés " +"pour chaque service et domaine SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "ad_gpo_access_control (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "Il existe trois valeurs prises en charge pour cette option :" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 -msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Devenir un démon après le démarrage." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 -msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Tourner en avant-plan et ne pas devenir un démon." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" -msgstr "Par défaut : permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Définit un fichier de configuration autre que celui par défaut (<filename>/" +"etc/sssd/sssd.conf</filename>). Pour obtenir des informations sur la syntaxe " +"et les options du fichier de configuration, consulter les pages de manuel de " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" -msgstr "ad_gpo_cache_timeout (entier)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "Afficher le numéro de version et quitter." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" -msgstr "ad_gpo_map_interactive (chaîne)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Signaux" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" +"Indique à SSSD de fermer normalement tous ses processus fils puis d'arrêter " +"le moniteur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" +"Précise à SSSD de ne plus écrire vers son fichier de débogage actuel, de le " +"fermer et de le rouvrir. Cela permet de faciliter les rotations de fichiers " +"de sortie avec des programmes tels que logrotate." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +#| "debug messages will be sent to stderr." +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" +"Si la variable d'environnement SSSD_KRB5_LOCATOR_DEBUG a une valeur " +"quelconque, des messages de débogage seront envoyés sur la sortie standard " +"d'erreur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" -msgstr "ad_gpo_map_remote_interactive (chaîne)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "obscurcir un mot de passe en clair" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" +"<command>sss_obfuscate</command> convertit un mot de passe donné en un " +"format illisible par un humain et le place dans la section de domaine " +"appropriée du fichier de configuration SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" +"Le mot de passe en clair est lu dans l'entrée standard ou entré " +"interactivement. Les mots de passes chiffrés sont mis dans " +"<quote>ldap_default_authtok</quote> pour un domaine SSSD donné et le " +"paramètre <quote>ldap_default_authtok_type</quote> est défini à " +"<quote>obfuscated_password</quote>. Cf. <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour plus de " +"détails sur ces paramètres." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" +"Veuillez noter que les mots de passe chiffrés ne fournissent <emphasis>aucun " +"réel bénéfice de sécurité</emphasis> étant donné qu'il est possible de " +"retrouver le mot de passe par ingénierie-inverse. Utiliser un meilleur " +"mécanisme d'authentification tel que les certificats côté client ou GSSAPI " +"est <emphasis>très</emphasis> conseillé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" -msgstr "ad_gpo_map_network (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "Le mot de passe chiffré sera lu sur l'entrée standard." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAINE</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" +"Le domaine SSSD auquel est lié le mot de passe. Le nom par défaut est " +"<quote>default</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FICHIER</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "Lit le fichier de configuration spécifié par le paramètre." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" -msgstr "ad_gpo_map_batch (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Par défaut : <filename>/etc/sssd/sssd.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" -msgstr "ad_gpo_map_service (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" -msgstr "ad_gpo_map_permit (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" -msgstr "ad_gpo_map_deny (chaîne)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" -msgstr "ad_gpo_default_right (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 -msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -"Facultatif. Cette option indique à SSSD de mettre à jour automatiquement le " -"serveur DNS intégré à IPA v2 avec l'adresse IP de ce client. La mise à jour " -"est sécurisée avec GSS-TSIG. Ainsi, l'administrateur Active Directory a " -"uniquement besoin d'activer les mises à jour sécurisées pour la zone DNS. " -"L'adresse IP de la connexion LDAP AD est utilisée pour les mises à jour, à " -"moins qu'elle ne soit spécifiée par l'utilisation de l'option " -"<quote>dyndns_iface</quote>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" -msgstr "Par défaut : 3600 (secondes)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Par défaut : True" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -"L'exemple suivant suppose que SSSD est correctement configuré et example.com " -"est un des domaines de la section <replaceable>[sssd]</replaceable>. Ces " -"exemples montrent seulement les options spécifiques au fournisseur AD." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 -msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -"Le fournisseur de contrôle d'accès AD vérifie si le compte a expiré. Cela a " -"le même effet que la configuration suivante du fournisseur LDAP : " -"<placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 -msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 -msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" -msgstr "Configuration de sudo avec le moteur SSSD" +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "créer un utilisateur" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"Cette page de manuel décrit comment configurer " -"<citerefentry><refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> pour travailler avec <citerefentry><refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum></citerefentry> et comment SSSD met " -"en cache les règles sudo." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "Configuration de sudo pour coopérer avec SSSD" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>UTILISATEUR</" +"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#: sss_useradd.8.xml:32 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -"Pour activer SSSD comme source pour les règles de sudo, ajouter " -"<emphasis>sss</emphasis> à l'entrée <emphasis>sudoers</emphasis> dans " -"<citerefentry><refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>." +"<command>sss_useradd</command> crée un nouveau compte utilisateur en " +"utilisant les valeurs spécifiées en ligne de commande auquelles sont " +"ajoutées les valeurs par défaut du système." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -"Par exemple, pour configurer sudo pour rechercher d'abord les règles dans le " -"fichier standard <citerefentry><refentrytitle>sudoers</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> (qui doit contenir les règles qui " -"s'appliquent aux utilisateurs locaux) et ensuite dans SSSD, le fichier " -"nsswitch.conf doit contenir la ligne suivante :" - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -"Plus d'informations sur la configuration de l'ordre de recherche de sudoers " -"depuis le fichier nsswitch.conf, mais aussi les informations sur le schéma " -"LDAP qui est utilisé pour stocker les règles sudo dans l'annuaire sont " -"disponibles dans <citerefentry><refentrytitle>sudoers.ldap</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>." +"Définit l'UID de l'utilisateur à la valeur <replaceable>UID</replaceable>. " +"Si non précisé, il est choisit automatiquement." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENTAIRE</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "Configuration de SSSD pour aller chercher les règles de sudo" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"Toute chaîne de caractère décrivant l'utilisateur. Souvent utilisé comme " +"champ pour le nom entier de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -"L'exemple suivant montre comment configurer SSSD pour télécharger les règles " -"sudo à partir d'un serveur LDAP." +"Le répertoire personnel du compte utilisateur. Par défaut, on ajoute " +"<replaceable>LOGIN</replaceable> à <filename>/home</filename> et on utilise " +"cela comme dossier personnel. La base précédent <replaceable>LOGIN</" +"replaceable> est modifiable avec le paramètre <quote>user_defaults/" +"baseDirectory</quote> de sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" +"L'interpréteur de commande de l'utilisateur. La valeur par défaut actuelle, " +"<filename>/bin/bash</filename>, peut être modifiée avec le paramètre " +"<quote>user_defaults/defaultShell</quote> dans sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPES</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "Le mécanisme de mise en cache de règles SUDO" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "Une liste de groupes existants dont l'utilisateur est aussi membre." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -"Le plus grand défi lors du développement de la prise en charge de sudo dans " -"SSSD était de de s'assurer que l'utilisation d'un sudo exploitant SSSD comme " -"source de données fournissait la même expérience utilisateur et était aussi " -"rapide que sudo, tout en conservant le jeu de règles le plus à jour " -"possible. Pour satisfaire ces exigences, SSSD utilise trois types de mises à " -"jour. Elles sont appelées actualisation complète, rafraîchissement " -"intelligent et rafraîchissement des règles." +"Crée le répertoire personnel de l'utilisateur s'il n'existe pas. Les " +"fichiers et répertoires inclus dans le répertoire squelette (pouvant être " +"définis avec l'option -k ou dans le fichier de configuration) sont copiés " +"dans le dossier personnel." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -"Le <emphasis>rafraîchissement intelligent</emphasis> télécharge " -"périodiquement les règles qui sont nouvelles ou qui ont été modifiées après " -"la dernière mise à jour. Son but premier est d'éviter à la base de données " -"de grossir en allant chercher de petits incréments qui ne génèrent pas de " -"gros de trafic réseau." +"Ne pas créer de dossier personnel pour l'utilisateur. Écrase les paramètres " +"de configuration." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -"Le <emphasis>rafracîchissement complèt</emphasis> supprime simplement toutes " -"les règles sudo stockées dans le cache et les remplace par toutes les règles " -"qui sont stockées sur le serveur. Ceci est utilisé pour assurer la cohérence " -"de cache en supprimant toutes les règles qui ont été supprimées du serveur. " -"Cependant, un rafraîchissement complet peut produire beaucoup de trafic et " -"doit n'être exécuté qu'occasionnellement selon la taille et de la stabilité " -"des règles sudo." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -"Le <emphasis>rafraîchissement des règles</emphasis> fait en sorte de ne pas " -"accorder à l'utilisateur plus d'autorisations que défini. Il est déclenché " -"chaque fois que l'utilisateur exécute sudo. L'actualisation des règles " -"trouvera toutes les règles qui s'appliquent à cet utilisateur, vérifie leur " -"date d'expiration et les retéléchargera si elles ont expiré. Dans le cas où " -"l'une de ces règles est manquante sur le serveur, SSSD programmera en " -"parallèle un rafraîchissement complet hors ligne car d'autres règles " -"(s'appliquant à d'autres utilisateurs) peuvent avoir été supprimées." +"Le répertoire squelette, contenant les fichiers et répertoires à copier dans " +"le répertoire personnel de l'utilisateur, quand le répertoire personnel est " +"créé par <command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -"Si activé, SSSD stocke uniquement les règles qui peuvent être appliquées à " -"cette machine. En d'autres termes, ce sont les règles qui contiennent une " -"des valeurs suivantes dans l'attribut de <emphasis>sudoHost</emphasis> :" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "mot-clé ALL" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "joker" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" -msgstr "netgroup (sous la forme « +netgroup »)" +"Les fichiers spéciaux (périphériques blocs, caractères, tubes nommés et " +"sockets unix) ne seront pas copiés." -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -"nom de système ou le nom de domaine pleinement qualifié de cette machine" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" -msgstr "une des adresses IP de cette machine" +"L'option n'est valide que si l'option <option>-m</option> (ou <option>--" +"create-home</option>) est utilisée ou si la création de répertoires " +"personnels est à TRUE dans la configuration." -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" -msgstr "une des adresses IP du réseau (sous la forme « adresse/masque »)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>UTILISATEUR_SELINUX</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -"Il existe de nombreuses options de configuration qui peuvent être utilisées " -"pour ajuster le comportement. Consulter « ldap_sudo_ * » dans " -"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> et « sudo_ * » dans " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>." +"L'utilisateur SELinux pour la connexion utilisateur. Si non spécifié, la " +"valeur par défaut du système est utilisée." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "System Security Services Daemon" +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "Fournisseur Kerberos SSSD" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"Cette page de manuel décrit la configuration du moteur d'authentification de " +"Kerberos 5 pour <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Pour une référence détaillée sur " +"la syntaex, veuillez vous référer à la section <quote>FORMAT DE FICHIER</" +"quote> du manuel de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sssd-krb5.5.xml:36 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -"<command>SSSD</command> fournit un jeu de démons pour gérer l'accès à des " -"dossiers distants et les mécanismes d'authentification. Il fournit une " -"interface NSS et PAM au travers du système et un moteur système extensible " -"par greffons pour se connecter à de multiples comptes de sources différentes " -"en plus d'une interface D-Bus. C'est aussi un moyen de fournir un moyen " -"d'audit client et une politique de services pour les projets tels que " -"FreeIPA. Il fournit une base de donnée plus robuste pour stocker les " -"utilisateurs locaux ainsi que les données étendues des utilisateurs." +"Le moteur d'authentification Kerberos 5 contient les fournisseurs " +"d'authentification et de changement de mot de passe. Il doit être couplé " +"avec un fournisseur d'identité de manière à fonctionner proprement (par " +"exemple, id_provider = ldap). Plusieurs informations requises par le moteur " +"d'authentification Kerberos 5 doivent être fournies par le fournisseur " +"d'identité, telles que le nom du principal de l'utilisateur Kerberos (UPN). " +"La configuration du fournisseur d'identité doit avoir une entrée pour " +"spécifier l'UPN. Veuillez vous référer aux pages du manuel du fournisseur " +"d'identité ad-hoc pour pouvoir le configurer." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" -msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -"<emphasis>1</emphasis> : Ajouter un horodatage aux messages de débogage" +"Ce moteur fournit aussi un contrôle d'accès sur le fichier .k5login dans le " +"répertoire personnel de l'utilisateur. Voir <citerefentry> <refentrytitle>." +"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> pour plus de " +"détails. Veuillez noter qu'un fichier .k5login vide interdira tout accès " +"pour cet utilisateur. Pour activer cette option, utilisez « access_provider " +"= krb5 » dans votre configuration de SSSD." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" -"<emphasis>0</emphasis> : Désactiver l'horodatage dans les messages de " -"débogage" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +"Dans le cas où l'UPN n'est pas valide dans le moteur d'identité, " +"<command>sssd</command> construira un UPN en utilisant le format " +"<replaceable>utilisateur</replaceable>@<replaceable>krb5_realm</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"<emphasis>1</emphasis> : Ajouter les microsecondes à l'horodatage dans les " -"messages de débogage" +"Spécifie la liste séparée par des virgules des adresses IP ou des noms de " +"systèmes des serveurs Kerberos auquel SSSD doit se connecter, par ordre de " +"préférence. Pour plus d'informations sur la redondance par bascule et le " +"serveur, consultez la section de <quote>BASCULE</quote>. Un numéro de port " +"facultatif (précédé de deux-points) peut être ajouté aux adresses ou aux " +"noms de systèmes. Si vide, le service de découverte est activé - pour plus " +"d'informations, se reporter à la section <quote>DÉCOUVERTE DE SERVICE</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -"<emphasis>0</emphasis> : Désactiver les microsecondes dans l'horodatage" +"Le nom du domaine Kerberos. Cette option est nécessaire et doit être " +"renseignée." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (string)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -"Envoie la sortie de débogage vers des fichiers plutôt que vers la sortie " -"d'erreur standard. Par défaut, les fichiers de sortie sont stockés dans " -"<filename>/var/log/sssd</filename> et des fichiers différents sont créés " -"pour chaque service et domaine SSSD." +"Si le service de changement de mot de passe ne fonctionne pas sur le KDC, " +"des serveurs de secours peuvent être définis ici. Un numéro de port " +"facultatif (précédé par un signe deux-points) peut-être être suffixé aux " +"adresses ou aux noms de systèmes." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" +"Pour plus d'information sur la bascule et la redondance de serveurs, voir la " +"section <quote>BASCULE</quote>. Noter que même si il n'y a plus de serveurs " +"kpasswd à essayer, le moteur ne passe pas en mode hors-ligne si " +"l'authentification KDC est toujours possible." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Par défaut : utiliser le KDC" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 -msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 -msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Par défaut : /tmp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 -msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "Devenir un démon après le démarrage." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "identifiant de connexion" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "Tourner en avant-plan et ne pas devenir un démon." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "UID de l'utilisateur" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 -msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" -"Définit un fichier de configuration autre que celui par défaut (<filename>/" -"etc/sssd/sssd.conf</filename>). Pour obtenir des informations sur la syntaxe " -"et les options du fichier de configuration, consulter les pages de manuel de " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "nom du principal" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nom de domaine" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 -msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "répertoire personnel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "Afficher le numéro de version et quitter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "valeur de krb5_ccachedir" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Signaux" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "l'ID de processus du client SSSD" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." -msgstr "" -"Indique à SSSD de fermer normalement tous ses processus fils puis d'arrêter " -"le moniteur." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "un « % » littéral" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -"Précise à SSSD de ne plus écrire vers son fichier de débogage actuel, de le " -"fermer et de le rouvrir. Cela permet de faciliter les rotations de fichiers " -"de sortie avec des programmes tels que logrotate." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Par défaut : (valeur provenant de libkrb5)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "obscurcir un mot de passe en clair" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (entier)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Délai d'attente, en secondes, après l'annulation d'une requête " +"d'authentification en ligne ou de changement de mot de passe. La requête " +"d'authentification sera effectuée hors-ligne si cela est possible." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 -msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." -msgstr "" -"<command>sss_obfuscate</command> convertit un mot de passe donné en un " -"format illisible par un humain et le place dans la section de domaine " -"appropriée du fichier de configuration SSSD." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (booléen)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -"Le mot de passe en clair est lu dans l'entrée standard ou entré " -"interactivement. Les mots de passes chiffrés sont mis dans " -"<quote>ldap_default_authtok</quote> pour un domaine SSSD donné et le " -"paramètre <quote>ldap_default_authtok_type</quote> est défini à " -"<quote>obfuscated_password</quote>. Cf. <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour plus de " -"détails sur ces paramètres." +"Vérifie à l'aide de krb5_keytab que le TGT obtenu n'a pas été usurpé. Les " +"entrées d'un fichier keytab sont vérifiées dans l'ordre, et la première " +"entrée avec un domaine correspondant est utilisée pour la validation. Si " +"aucune entrée ne correspond au domaine, la dernière entrée dans le fichier " +"keytab est utilisée. Ce processus peut être utilisé pour valider des " +"environnements utilisant l'approbation entre domaines en plaçant l'entrée " +"keytab appropriée comme dernière ou comme seule entrée dans le fichier " +"keytab." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -"Veuillez noter que les mots de passe chiffrés ne fournissent <emphasis>aucun " -"réel bénéfice de sécurité</emphasis> étant donné qu'il est possible de " -"retrouver le mot de passe par ingénierie-inverse. Utiliser un meilleur " -"mécanisme d'authentification tel que les certificats côté client ou GSSAPI " -"est <emphasis>très</emphasis> conseillé." +"L'emplacement du fichier keytab à utiliser pour valider les données " +"d'identification obtenues à partir de KDC." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Par défaut : /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." -msgstr "Le mot de passe chiffré sera lu sur l'entrée standard." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (booléen)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAINE</" -"replaceable>" +"Stocke le mot de passe de l'utilisateur si le fournisseur est hors-ligne, " +"puis l'utilise pour obtenir un TGT lorsque le fournisseur redevient " +"disponible en ligne." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -"Le domaine SSSD auquel est lié le mot de passe. Le nom par défaut est " -"<quote>default</quote>." +"NOTE : cette fonctionnalité n'est actuellement disponible que sur les plates-" +"formes Linux. Les mots de passe stockés de cette manière sont conservés en " +"texte brut dans le trousseau de clés du noyau et sont potentiellement " +"accessibles à l'utilisateur root (avec difficulté)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>FICHIER</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." -msgstr "Lit le fichier de configuration spécifié par le paramètre." +"Demande un ticket renouvelable avec une durée de vie totale, donnée par un " +"entier immédiatement suivi par une unité de temps :" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "Par défaut : <filename>/etc/sssd/sssd.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> pour secondes" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> pour minutes" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> pour heures" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> pour jours." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 -msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" +"NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée " +"de vie renouvelable de une heure et trente minutes, utiliser « 90m » au lieu " +"de « 1h30m »." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" +"Par défaut : non défini, c'est-à-dire que le TGT n'est pas renouvelable" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 -msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" +"Demande un ticket avec une durée de vie, donnée par un entier immédiatement " +"suivi par une unité de temps :" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" +"NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée " +"de vie de une heure et trente minutes, utiliser « 90m » au lieu de « 1h30m »." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" +"Par défaut : non défini, c'est-à-dire la durée de vie par défaut configurée " +"dans le KDC." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" +"La durée, en secondes, entre deux vérifications pour savoir si le TGT doit " +"être renouvelé. Les TGT sont renouvelés si environ la moitié de leur durée " +"de vie est dépassée. Indiquée par un entier immédiatement suivi d'une unité " +"de temps :" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" +"Si cette option n'est pas définie ou définie à 0, le renouvellement " +"automatique est désactivé." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" +"Active le flexible authentication secure tunneling (FAST) pour la pré-" +"authentification Kerberos. Les options suivantes sont supportées :" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" +"<emphasis>never</emphasis> : ne jamais utiliser FAST. Ceci équivaut à ne pas " +"définir cette option." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" +"<emphasis>try</emphasis> : eassyer d'utiliser FAST. Si le serveur ne prend " +"pas en charge FAST, continuer l'authentification sans." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" +"<emphasis>demander</emphasis>  : imposer d'utiliser FAST. L'authentification " +"échoue si le serveur ne requiert pas FAST." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Par défaut : non défini, i.e. FAST n'est pas utilisé." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "NOTE : un fichier keytab est requis pour utiliser FAST." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" +"NOTE : SSSD prend en charge le paramètre FAST uniquement avec MIT Kerberos " +"version 1.8 et au-delà. L'utilisation de SSSD avec une version antérieure de " +"MIT Kerberos avec cette option est une erreur de configuration." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 -msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "Spécifie le principal de serveur afin d'utiliser FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" +"Spécifie si les principaux du système et de l'utilisateur doivent être " +"rendus canoniques. Cette fonctionnalité est disponible avec MIT Kerberos 1.7 " +"et versions suivantes." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " +#| "more information on the locator plugin." msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" +"Consulter la page de manuel de <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> pour plus d'informations sur le greffon de " +"localisation." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (booléen)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" +"Indique si le principal de l'utilisateur doit être traité comme un principal " +"d'entreprise. Cf. la section 5 de la RFC 6806 pour plus de détails sur les " +"principals d'entreprise." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "Par défaut : false (AD provider : true)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"Si le module auth krb5 est utilisé dans un domaine SSSD, les options " +"suivantes doivent être utilisées. Cf. la page de manuel " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>, section <quote>SECTIONS DOMAINE</quote> pour plus " +"de détails sur la configuration d'un domaine SSSD. <placeholder type=" +"\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et que FOO est " +"l'un des domaines de la section <replaceable>[sssd]</replaceable>. Cet " +"exemple montre uniquement la configuration de l'authentification Kerberos, " +"et n'inclut aucun fournisseur d'identité." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "créer un utilisateur" +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "Créer un nouveau groupe" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_groupadd.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" "arg>" msgstr "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>UTILISATEUR</" -"replaceable></arg>" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_groupadd.8.xml:32 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -"<command>sss_useradd</command> crée un nouveau compte utilisateur en " -"utilisant les valeurs spécifiées en ligne de commande auquelles sont " -"ajoutées les valeurs par défaut du système." +"<command>sss_groupadd</command> crée un nouveau groupe. Ces groupes sont " +"compatibles avec les groupes POSIX, avec la caractéristique supplémentaire " +"qu'ils peuvent contenir d'autres groupes comme membres." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sss_groupadd.8.xml:48 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " "not given, it is chosen automatically." msgstr "" -"Définit l'UID de l'utilisateur à la valeur <replaceable>UID</replaceable>. " -"Si non précisé, il est choisit automatiquement." +"Positionne le GID du groupe à la valeur <replaceable>GID</replaceable>. Si " +"non spécifié, il est choisi automatiquement." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "Supprimer un compte utilisateur" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENTAIRE</" -"replaceable>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -"Toute chaîne de caractère décrivant l'utilisateur. Souvent utilisé comme " -"champ pour le nom entier de l'utilisateur." +"<command>sss_userdel</command> supprime du système un utilisateur identifié " +"par son identifiant de connexion <replaceable>LOGIN</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" -msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_userdel.8.xml:48 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"Le répertoire personnel du compte utilisateur. Par défaut, on ajoute " -"<replaceable>LOGIN</replaceable> à <filename>/home</filename> et on utilise " -"cela comme dossier personnel. La base précédent <replaceable>LOGIN</" -"replaceable> est modifiable avec le paramètre <quote>user_defaults/" -"baseDirectory</quote> de sssd.conf." +"Les fichiers dans le répertoire ainsi que le répertoire lui-même de " +"l'utilisateur et sa messagerie seront supprimés. Outrepasse la configuration." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#: sss_userdel.8.xml:60 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"L'interpréteur de commande de l'utilisateur. La valeur par défaut actuelle, " -"<filename>/bin/bash</filename>, peut être modifiée avec le paramètre " -"<quote>user_defaults/defaultShell</quote> dans sssd.conf." +"Les fichiers dans le répertoire ainsi que le répertoire lui-même de " +"l'utilisateur et sa messagerie ne seront PAS supprimés. Outrepasse la " +"configuration." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" -msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPES</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "Une liste de groupes existants dont l'utilisateur est aussi membre." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#: sss_userdel.8.xml:72 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" -"Crée le répertoire personnel de l'utilisateur s'il n'existe pas. Les " -"fichiers et répertoires inclus dans le répertoire squelette (pouvant être " -"définis avec l'option -k ou dans le fichier de configuration) sont copiés " -"dans le dossier personnel." +"Cette option oblige <command>sss_userdel</command> à supprimer le répertoire " +"home de l'utilisateur et sa messagerie, même si ils ne sont pas détenus par " +"l'utilisateur spécifié." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -"Ne pas créer de dossier personnel pour l'utilisateur. Écrase les paramètres " -"de configuration." +"Avant de réellement supprimer l'utilisateur, mettre fin à tous ses processus." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "supprimer un groupe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -"Le répertoire squelette, contenant les fichiers et répertoires à copier dans " -"le répertoire personnel de l'utilisateur, quand le répertoire personnel est " -"créé par <command>sss_useradd</command>." +"<command>sss_groupdel</command> supprime du système un groupe identifié par " +"son nom de groupe <replaceable>GROUPE</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "affiche les propriétés d'un groupe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"Les fichiers spéciaux (périphériques blocs, caractères, tubes nommés et " -"sockets unix) ne seront pas copiés." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -"L'option n'est valide que si l'option <option>-m</option> (ou <option>--" -"create-home</option>) est utilisée ou si la création de répertoires " -"personnels est à TRUE dans la configuration." +"<command>sss_groupshow</command> affiche des informations sur un groupe " +"identifié par son nom <replaceable>GROUPE</replaceable>. Les informations " +"incluent l'ID de groupe, les membres du groupe ainsi que le groupe parent." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" -msgstr "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>UTILISATEUR_SELINUX</replaceable>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#: sss_groupshow.8.xml:47 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -"L'utilisateur SELinux pour la connexion utilisateur. Si non spécifié, la " -"valeur par défaut du système est utilisée." +"Affiche aussi les membres indirects de groupe dans une hiérarchie " +"arborescente. Noter que cela affecte également les affichages de groupes " +"parents - sans l'option <option>R</option>, seul le parent direct sera " +"affiché." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" -msgstr "Fournisseur Kerberos SSSD" +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "modifier un compte utilisateur" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"Cette page de manuel décrit la configuration du moteur d'authentification de " -"Kerberos 5 pour <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Pour une référence détaillée sur " -"la syntaex, veuillez vous référer à la section <quote>FORMAT DE FICHIER</" -"quote> du manuel de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_usermod.8.xml:32 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"Le moteur d'authentification Kerberos 5 contient les fournisseurs " -"d'authentification et de changement de mot de passe. Il doit être couplé " -"avec un fournisseur d'identité de manière à fonctionner proprement (par " -"exemple, id_provider = ldap). Plusieurs informations requises par le moteur " -"d'authentification Kerberos 5 doivent être fournies par le fournisseur " -"d'identité, telles que le nom du principal de l'utilisateur Kerberos (UPN). " -"La configuration du fournisseur d'identité doit avoir une entrée pour " -"spécifier l'UPN. Veuillez vous référer aux pages du manuel du fournisseur " -"d'identité ad-hoc pour pouvoir le configurer." +"<command>sss_usermod</command> modifie le compte défini par " +"<replaceable>LOGIN</replaceable> pour refléter les modifications fournies en " +"ligne de commande." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "Le répertoire personnel du compte utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "L'interpréteur de commandes de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -"Ce moteur fournit aussi un contrôle d'accès sur le fichier .k5login dans le " -"répertoire personnel de l'utilisateur. Voir <citerefentry> <refentrytitle>." -"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> pour plus de " -"détails. Veuillez noter qu'un fichier .k5login vide interdira tout accès " -"pour cet utilisateur. Pour activer cette option, utilisez « access_provider " -"= krb5 » dans votre configuration de SSSD." +"Ajouter cet utilisateur aux groupes spécifiés par le paramètre " +"<replaceable>GROUPS</replaceable>. Le paramètre <replaceable>GROUPS</" +"replaceable> est une liste séparée par des virgules de noms de groupes." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -"Dans le cas où l'UPN n'est pas valide dans le moteur d'identité, " -"<command>sssd</command> construira un UPN en utilisant le format " -"<replaceable>utilisateur</replaceable>@<replaceable>krb5_realm</replaceable>." +"Retirer cet utilisateur de groupes spécifiés par le paramètre " +"<replaceable>GROUPS</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." -msgstr "" -"Spécifie la liste séparée par des virgules des adresses IP ou des noms de " -"systèmes des serveurs Kerberos auquel SSSD doit se connecter, par ordre de " -"préférence. Pour plus d'informations sur la redondance par bascule et le " -"serveur, consultez la section de <quote>BASCULE</quote>. Un numéro de port " -"facultatif (précédé de deux-points) peut être ajouté aux adresses ou aux " -"noms de systèmes. Si vide, le service de découverte est activé - pour plus " -"d'informations, se reporter à la section <quote>DÉCOUVERTE DE SERVICE</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 -msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Verrouiller le compte utilisateur. Il ne pourra plus se connecter." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Déverrouiller le compte utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" -"Le nom du domaine Kerberos. Cette option est nécessaire et doit être " -"renseignée." +"L'utilisateur SELinux pour l'identifiant de connexion de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"Si le service de changement de mot de passe ne fonctionne pas sur le KDC, " -"des serveurs de secours peuvent être définis ici. Un numéro de port " -"facultatif (précédé par un signe deux-points) peut-être être suffixé aux " -"adresses ou aux noms de systèmes." +"Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " +"les attributs multi-valués, la commande remplace les valeurs déjà présentes." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -"Pour plus d'information sur la bascule et la redondance de serveurs, voir la " -"section <quote>BASCULE</quote>. Noter que même si il n'y a plus de serveurs " -"kpasswd à essayer, le moteur ne passe pas en mode hors-ligne si " -"l'authentification KDC est toujours possible." +"Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Par défaut : utiliser le KDC" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (chaîne)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "effectue le nettoyage du cache" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Par défaut : /tmp" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (chaîne)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "identifiant de connexion" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalider un utilisateur spécifique." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "UID de l'utilisateur" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"L'annulation de tous les enregistrements d'utilisateur. Cette option prend " +"le pas sur l'invalidation d'un utilisateur spécifique, si elle a été " +"également configuré." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "nom du principal" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "L'annulation de groupe spécifique." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "nom de domaine" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"L'annulation de tous les enregistrements de groupe. Cette option prend le " +"pas sur l'invalidation d'un groupe spécifique si elle a été également " +"définie." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "répertoire personnel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Invalide un netgroup spécifique." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" -msgstr "valeur de krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"Invalider tous les enregistrements de netgroup. Cette option prend le pas " +"sur l'invalidation de netgroup spécifiques s'il a été également définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Invalider le service spécifique." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"Invalider tous les enregistrements de service. Cette option se substitue à " +"l'invalidation de service spécifique s'elle a également été définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalider des cartes autofs spécifiques." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"Invalider toutes les cartes autofs. Cette option remplace l'invalidation de " +"carte spécifique s'elle a également été définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Restreindre le processus d'invalidation à un domaine particulier." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "initialise le cache SSSD avec un utilisateur" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> initialise le cache SSSD avec une entrée " +"d'utilisateur et le mot de passe temporaire. Si une entrée d'utilisateur est " +"déjà présente dans le cache de SSSD, l'entrée est mise à jour avec le mot de " +"passe temporaire." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Indique le nom de domaine duquel l'utilisateur est membre. Le domaine est " +"également utilisé pour récupérer les informations sur l'utilisateur. Le " +"domaine doit être configuré dans sssd.conf. L'option <replaceable>DOMAIN</" +"replaceable> doit être fournie. Les informations récupérées depuis le " +"domaine prennent le pas sur ce qui est fourni dans les options." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"Le nom d'utilisateur de l'entrée devant être créée ou modifiée dans le " +"cache. L'option <replaceable>USER</replaceable> doit être fournie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Définit l'UID de l'utilisateur à <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Définit le GID de l'utilisateur à <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"Définit le répertoire de l'utilisateur à <replaceable>HOME_DIR</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Définit l'interpréteur de commande de l'utilisateur à <replaceable>SHELL</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Mode interactif pour la saisie des informations de l'utilisateur. Cette " +"option invite uniquement à la saisir des renseignements non fournis dans les " +"options ou non récupérés à partir du domaine." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Spécifie le fichier dans lequel lire le mot de passe de l'utilisateur. (si " +"aucun mot de passe n'est spécifié, il sera demandé)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"La taille du mot de passe (ou la taille du fichier spécifié avec l'option -p " +"ou --password-file) doit être inférieure ou égale à PASS_MAX octets (64 " +"octets sur les systèmes sans valeur globale définie de PASS_MAX)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" -msgstr "l'ID de processus du client SSSD" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "un « % » littéral" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "identifiant de connexion de l'utilisateur" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "identifiant de l'utilisateur" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "identifiant de groupe primaire" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "informations utilisateur, généralement le nom complet" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "interpréteur de commande" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" +"Par défaut : non défini. Seul le jeu d'attributs POSIX par défaut est " +"autorisé." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "FICHIER DE CONFIGURATION" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "EXTENSION DE CONFIGURATION SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "Section de configuration [sss]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 -msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 -msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" -msgstr "Par défaut : (valeur provenant de libkrb5)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "INTÉGRATION SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (entier)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -"Délai d'attente, en secondes, après l'annulation d'une requête " -"d'authentification en ligne ou de changement de mot de passe. La requête " -"d'authentification sera effectuée hors-ligne si cela est possible." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (booléen)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Vérifie à l'aide de krb5_keytab que le TGT obtenu n'a pas été usurpé. Les " -"entrées d'un fichier keytab sont vérifiées dans l'ordre, et la première " -"entrée avec un domaine correspondant est utilisée pour la validation. Si " -"aucune entrée ne correspond au domaine, la dernière entrée dans le fichier " -"keytab est utilisée. Ce processus peut être utilisé pour valider des " -"environnements utilisant l'approbation entre domaines en plaçant l'entrée " -"keytab appropriée comme dernière ou comme seule entrée dans le fichier " -"keytab." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (chaîne)" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VOIR AUSSI" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -"L'emplacement du fichier keytab à utiliser pour valider les données " -"d'identification obtenues à partir de KDC." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Par défaut : /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (booléen)" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "obtient les clés OpenSSH autorisées" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -"Stocke le mot de passe de l'utilisateur si le fournisseur est hors-ligne, " -"puis l'utilise pour obtenir un TGT lorsque le fournisseur redevient " -"disponible en ligne." +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -"NOTE : cette fonctionnalité n'est actuellement disponible que sur les plates-" -"formes Linux. Les mots de passe stockés de cette manière sont conservés en " -"texte brut dans le trousseau de clés du noyau et sont potentiellement " -"accessibles à l'utilisateur root (avec difficulté)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (chaîne)" +"<command>sss_ssh_authorizedkeys</command> acquiert les clés publiques SSH " +"pour <replaceable>USER</replaceable> et les renvoie dans le format " +"authorized_keys de OpenSSH (cf. la section <quote>FORMAT DE FICHIER " +"AUTHORIZED_KEYS</quote> de <citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> pour plus d'informations)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -"Demande un ticket renouvelable avec une durée de vie totale, donnée par un " -"entier immédiatement suivi par une unité de temps :" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "<emphasis>s</emphasis> pour secondes" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "<emphasis>m</emphasis> pour minutes" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "<emphasis>h</emphasis> pour heures" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "<emphasis>d</emphasis> pour jours." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." -msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -"NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée " -"de vie renouvelable de une heure et trente minutes, utiliser « 90m » au lieu " -"de « 1h30m »." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -"Par défaut : non défini, c'est-à-dire que le TGT n'est pas renouvelable" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -"Demande un ticket avec une durée de vie, donnée par un entier immédiatement " -"suivi par une unité de temps :" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." -msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -"NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée " -"de vie de une heure et trente minutes, utiliser « 90m » au lieu de « 1h30m »." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 -msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -"Par défaut : non défini, c'est-à-dire la durée de vie par défaut configurée " -"dans le KDC." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" -msgstr "krb5_renew_interval (chaîne)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -"La durée, en secondes, entre deux vérifications pour savoir si le TGT doit " -"être renouvelé. Les TGT sont renouvelés si environ la moitié de leur durée " -"de vie est dépassée. Indiquée par un entier immédiatement suivi d'une unité " -"de temps :" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -"Si cette option n'est pas définie ou définie à 0, le renouvellement " -"automatique est désactivé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (chaîne)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -"Active le flexible authentication secure tunneling (FAST) pour la pré-" -"authentification Kerberos. Les options suivantes sont supportées :" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -"<emphasis>never</emphasis> : ne jamais utiliser FAST. Ceci équivaut à ne pas " -"définir cette option." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"<emphasis>try</emphasis> : eassyer d'utiliser FAST. Si le serveur ne prend " -"pas en charge FAST, continuer l'authentification sans." +"Rechercher des clés publiques dans le domaine SSSD <replaceable>DOMAIN</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "CODE RETOUR" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -"<emphasis>demander</emphasis>  : imposer d'utiliser FAST. L'authentification " -"échoue si le serveur ne requiert pas FAST." +"Dans le cas d'un opération achevée avec succès, une valeur de retour de 0 " +"est renvoyée. Dans le cas contraire, 1 est renvoyé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." -msgstr "Par défaut : non défini, i.e. FAST n'est pas utilisé." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." -msgstr "NOTE : un fichier keytab est requis pour utiliser FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "obtenir les clés d'hôtes OpenSSH" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -"NOTE : SSSD prend en charge le paramètre FAST uniquement avec MIT Kerberos " -"version 1.8 et au-delà. L'utilisation de SSSD avec une version antérieure de " -"MIT Kerberos avec cette option est une erreur de configuration." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (chaîne)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." -msgstr "Spécifie le principal de serveur afin d'utiliser FAST." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"Si <replaceable>PROXY_COMMAND</replaceable> est indiqué, elle est alors " +"utilisée pour établier la connexion vers le système au lieu d'ouvrir une " +"socket." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -"Spécifie si les principaux du système et de l'utilisateur doivent être " -"rendus canoniques. Cette fonctionnalité est disponible avec MIT Kerberos 1.7 " -"et versions suivantes." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> peut être configuré pour utiliser " +"<command>sss_ssh_knownhostsproxy</command> pour l'authentication par clés en " +"utilisant les directives suivantes pour la configuration de " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> : <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" +"Utiliser le port <replaceable>PORT</replaceable> pour se connecter au " +"système. Par défaut, le port 22 est utilisé." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " -#| "more information on the locator plugin." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"Consulter la page de manuel de <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry> pour plus d'informations sur le greffon de " -"localisation." +"Rechercher les clés publiques dans le domaine SSSD <replaceable>DOMAINE</" +"replaceable> hôte." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" -msgstr "krb5_use_enterprise_principal (booléen)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -"Indique si le principal de l'utilisateur doit être traité comme un principal " -"d'entreprise. Cf. la section 5 de la RFC 6806 pour plus de détails sur les " -"principals d'entreprise." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" -msgstr "Par défaut : false (AD provider : true)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" -msgstr "krb5_map_user (chaîne)" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -"Si le module auth krb5 est utilisé dans un domaine SSSD, les options " -"suivantes doivent être utilisées. Cf. la page de manuel " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>, section <quote>SECTIONS DOMAINE</quote> pour plus " -"de détails sur la configuration d'un domaine SSSD. <placeholder type=" -"\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: idmap_sss.8.xml:62 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -"L'exemple suivant suppose que SSSD est correctement configuré et que FOO est " -"l'un des domaines de la section <replaceable>[sssd]</replaceable>. Cet " -"exemple montre uniquement la configuration de l'authentification Kerberos, " -"et n'inclut aucun fournisseur d'identité." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "Créer un nouveau groupe" +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#: sssctl.8.xml:21 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." -msgstr "" -"<command>sss_groupadd</command> crée un nouveau groupe. Ces groupes sont " -"compatibles avec les groupes POSIX, avec la caractéristique supplémentaire " -"qu'ils peuvent contenir d'autres groupes comme membres." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#: sssctl.8.xml:32 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -"Positionne le GID du groupe à la valeur <replaceable>GID</replaceable>. Si " -"non spécifié, il est choisi automatiquement." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "Supprimer un compte utilisateur" +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-files.5.xml:58 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"<command>sss_userdel</command> supprime du système un utilisateur identifié " -"par son identifiant de connexion <replaceable>LOGIN</replaceable>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" -msgstr "<option>-r</option>,<option>--remove</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -"Les fichiers dans le répertoire ainsi que le répertoire lui-même de " -"l'utilisateur et sa messagerie seront supprimés. Outrepasse la configuration." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" -msgstr "<option>-R</option>,<option>--no-remove</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -"Les fichiers dans le répertoire ainsi que le répertoire lui-même de " -"l'utilisateur et sa messagerie ne seront PAS supprimés. Outrepasse la " -"configuration." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" -msgstr "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"Cette option oblige <command>sss_userdel</command> à supprimer le répertoire " -"home de l'utilisateur et sa messagerie, même si ils ne sont pas détenus par " -"l'utilisateur spécifié." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" -msgstr "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" -"Avant de réellement supprimer l'utilisateur, mettre fin à tous ses processus." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "supprimer un groupe" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-files.5.xml:132 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -"<command>sss_groupdel</command> supprime du système un groupe identifié par " -"son nom de groupe <replaceable>GROUPE</replaceable>." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" -msgstr "affiche les propriétés d'un groupe" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-files.5.xml:143 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -"<command>sss_groupshow</command> affiche des informations sur un groupe " -"identifié par son nom <replaceable>GROUPE</replaceable>. Les informations " -"incluent l'ID de groupe, les membres du groupe ainsi que le groupe parent." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -"Affiche aussi les membres indirects de groupe dans une hiérarchie " -"arborescente. Noter que cela affecte également les affichages de groupes " -"parents - sans l'option <option>R</option>, seul le parent direct sera " -"affiché." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "modifier un compte utilisateur" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 -msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." -msgstr "" -"<command>sss_usermod</command> modifie le compte défini par " -"<replaceable>LOGIN</replaceable> pour refléter les modifications fournies en " -"ligne de commande." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "Le répertoire personnel du compte utilisateur." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "L'interpréteur de commandes de l'utilisateur." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:23 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Ajouter cet utilisateur aux groupes spécifiés par le paramètre " -"<replaceable>GROUPS</replaceable>. Le paramètre <replaceable>GROUPS</" -"replaceable> est une liste séparée par des virgules de noms de groupes." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." -msgstr "" -"Retirer cet utilisateur de groupes spécifiés par le paramètre " -"<replaceable>GROUPS</replaceable>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." -msgstr "Verrouiller le compte utilisateur. Il ne pourra plus se connecter." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "Déverrouiller le compte utilisateur." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" -"L'utilisateur SELinux pour l'identifiant de connexion de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." -msgstr "Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " -"les attributs multi-valués, la commande remplace les valeurs déjà présentes." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -"Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" -msgstr "sss_cache" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" -msgstr "effectue le nettoyage du cache" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" -msgstr "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "Invalider un utilisateur spécifique." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" -msgstr "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -"L'annulation de tous les enregistrements d'utilisateur. Cette option prend " -"le pas sur l'invalidation d'un utilisateur spécifique, si elle a été " -"également configuré." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "L'annulation de groupe spécifique." +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 -msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -"L'annulation de tous les enregistrements de groupe. Cette option prend le " -"pas sur l'invalidation d'un groupe spécifique si elle a été également " -"définie." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." -msgstr "Invalide un netgroup spécifique." +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" -msgstr "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:219 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" -"Invalider tous les enregistrements de netgroup. Cette option prend le pas " -"sur l'invalidation de netgroup spécifiques s'il a été également définie." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "Invalider le service spécifique." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" -msgstr "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -"Invalider tous les enregistrements de service. Cette option se substitue à " -"l'invalidation de service spécifique s'elle a également été définie." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." -msgstr "Invalider des cartes autofs spécifiques." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" -msgstr "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:260 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -"Invalider toutes les cartes autofs. Cette option remplace l'invalidation de " -"carte spécifique s'elle a également été définie." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 -msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:278 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 -msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." -msgstr "Restreindre le processus d'invalidation à un domaine particulier." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" -msgstr "sss_debuglevel" +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 -msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "sss_seed" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" -msgstr "initialise le cache SSSD avec un utilisateur" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" -"<command>sss_seed</command> initialise le cache SSSD avec une entrée " -"d'utilisateur et le mot de passe temporaire. Si une entrée d'utilisateur est " -"déjà présente dans le cache de SSSD, l'entrée est mise à jour avec le mot de " -"passe temporaire." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 -msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#: sssd-secrets.5.xml:359 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -"Indique le nom de domaine duquel l'utilisateur est membre. Le domaine est " -"également utilisé pour récupérer les informations sur l'utilisateur. Le " -"domaine doit être configuré dans sssd.conf. L'option <replaceable>DOMAIN</" -"replaceable> doit être fournie. Les informations récupérées depuis le " -"domaine prennent le pas sur ce qui est fourni dans les options." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#: sssd-secrets.5.xml:372 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -"Le nom d'utilisateur de l'entrée devant être créée ou modifiée dans le " -"cache. L'option <replaceable>USER</replaceable> doit être fournie." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "Définit l'UID de l'utilisateur à <replaceable>UID</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "Définit le GID de l'utilisateur à <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#: sssd-secrets.5.xml:385 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -"Définit le répertoire de l'utilisateur à <replaceable>HOME_DIR</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" -"Définit l'interpréteur de commande de l'utilisateur à <replaceable>SHELL</" -"replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#: sssd-secrets.5.xml:398 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -"Mode interactif pour la saisie des informations de l'utilisateur. Cette " -"option invite uniquement à la saisir des renseignements non fournis dans les " -"options ou non récupérés à partir du domaine." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 -msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 -msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -"Spécifie le fichier dans lequel lire le mot de passe de l'utilisateur. (si " -"aucun mot de passe n'est spécifié, il sera demandé)" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-secrets.5.xml:424 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -"La taille du mot de passe (ou la taille du fichier spécifié avec l'option -p " -"ou --password-file) doit être inférieure ou égale à PASS_MAX octets (64 " -"octets sur les systèmes sans valeur globale définie de PASS_MAX)." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" -msgstr "sssd-ifp" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#: sssd-secrets.5.xml:461 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" -msgstr "name" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" -msgstr "identifiant de connexion de l'utilisateur" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" -msgstr "uidNumber" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" -msgstr "identifiant de l'utilisateur" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" -msgstr "gidNumber" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" -msgstr "identifiant de groupe primaire" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" -msgstr "gecos" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" -msgstr "informations utilisateur, généralement le nom complet" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" -msgstr "homeDirectory" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" -msgstr "loginShell" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "interpréteur de commande" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#: sssd-secrets.5.xml:484 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 +#: sssd-secrets.5.xml:501 #, no-wrap msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" " " msgstr "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -"Par défaut : non défini. Seul le jeu d'attributs POSIX par défaut est " -"autorisé." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 -msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" -msgstr "FICHIER DE CONFIGURATION" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" -msgstr "EXTENSION DE CONFIGURATION SSS" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" -msgstr "Section de configuration [sss]" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" -msgstr "INTÉGRATION SSSD" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#: sssd-secrets.5.xml:565 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#: sssd-secrets.5.xml:576 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" "\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" "\n" -"[Translation]\n" -"Method = sss\n" -msgstr "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" "\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" "\n" -"[Translation]\n" -"Method = sss\n" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 -msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "VOIR AUSSI" - #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" -msgstr "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "sss_ssh_authorizedkeys" - -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" -msgstr "1" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" -msgstr "obtient les clés OpenSSH autorisées" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#: sssd-secrets.5.xml:602 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -"<command>sss_ssh_authorizedkeys</command> acquiert les clés publiques SSH " -"pour <replaceable>USER</replaceable> et les renvoie dans le format " -"authorized_keys de OpenSSH (cf. la section <quote>FORMAT DE FICHIER " -"AUTHORIZED_KEYS</quote> de <citerefentry><refentrytitle>sshd</refentrytitle> " -"<manvolnum>8</manvolnum></citerefentry> pour plus d'informations)." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#: sssd-secrets.5.xml:606 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -"Rechercher des clés publiques dans le domaine SSSD <replaceable>DOMAIN</" -"replaceable>." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" -msgstr "CODE RETOUR" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#: sssd-kcm.8.xml:42 msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -"Dans le cas d'un opération achevée avec succès, une valeur de retour de 0 " -"est renvoyée. Dans le cas contraire, 1 est renvoyé." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "obtenir les clés d'hôtes OpenSSH" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#: sssd-kcm.8.xml:67 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -"Si <replaceable>PROXY_COMMAND</replaceable> est indiqué, elle est alors " -"utilisée pour établier la connexion vers le système au lieu d'ouvrir une " -"socket." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 +#: sssd-kcm.8.xml:84 #, no-wrap msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 +#: sssd-kcm.8.xml:76 msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> peut être configuré pour utiliser " -"<command>sss_ssh_knownhostsproxy</command> pour l'authentication par clés en " -"utilisant les directives suivantes pour la configuration de " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> : <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -"Utiliser le port <replaceable>PORT</replaceable> pour se connecter au " -"système. Par défaut, le port 22 est utilisé." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -"Rechercher les clés publiques dans le domaine SSSD <replaceable>DOMAINE</" -"replaceable> hôte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#: sssd-kcm.8.xml:155 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of the AD provider for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " +#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page." msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Cette page de manuel décrit la configuration du fournisseur AD pour " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Pour une référence détaillée sur la syntaxe, cf. la section " +"<quote>FORMAT DE FICHIER</quote> de la page de manuel <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-kcm.8.xml:183 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "min_id,max_id (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "min_id,max_id (entier)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Par défaut : 6" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_page_size (entier)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Par défaut : 6" + #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 +#: sssd-kcm.8.xml:247 msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-systemtap.5.xml:23 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 +#: sssd-systemtap.5.xml:32 msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"passwd: sss files\n" -"group: sss files\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 #, no-wrap msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, fuzzy, no-wrap +#| msgid "" +#| "user_attributes = +telephoneNumber, -loginShell\n" +#| " " msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"attr:string\n" +"value:string\n" +" " msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 +msgid "" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 -msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 -msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 -msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 -msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:412 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" -msgstr "" +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (chaînes)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +#, fuzzy +#| msgid "SSSD LDAP provider" +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "Fournisseur LDAP SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" +"Ce manuel décrit la configuration des domaines LDAP pour <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. Se référer à la section <quote>FILE FORMAT</quote> du manuel " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour des informations sur la syntaxe détaillée." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 -msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "La classe d'objet d'une entrée utilisateur dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Par défaut : posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" +"L'attribut LDAP correspondant à l'identifiant de connexion de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "L'attribut LDAP correspondant à l'id de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "par défaut : uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" +"L'attribut LDAP correspondant à l'id du groupe primaire de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "Par défaut : gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "L'attribut LDAP correspondant au champ gecos de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "Par défaut : gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" +"L'attribut LDAP qui contient le nom du répertoire personnel de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" +"L'attribut LDAP qui contient le chemin vers l'interpréteur de commandes de " +"l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Par défaut : loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" +"Par défaut : non défini dans le cas général, objectGUID pour AD et " +"ipaUniqueID pour IPA" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"L'attribut LDAP qui contient l'objectSID d'un objet d'utilisateur LDAP. Ceci " +"n'est habituellement nécessaire que pour les serveurs Active Directory." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" +"L'attribut LDAP qui contient l'horodatage de la dernière modification de " +"l'objet parent." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Par défaut : modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (date de changement du dernier mot de passe)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Par défaut : shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie<citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (durée de validité minimum du mot de passe)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Par défaut : shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (âge maximum du mot de passe)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Par défaut : shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (période d'avertissement du mot de passe)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Par défaut : shadowWarning" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (période d'inactivité du mot de passe)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Par défaut : shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow ou " +"ldap_account_expire_policy=shadow, ce paramètre contient le nom de " +"l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (date d'expiration du compte)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Par défaut : shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient " +"le nom de l'attribut LDAP stockant la date et l'heure du dernier changement " +"de mot de passe dans kerberos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap -msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Par défaut : krbLastPwdChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient " +"le nom de l'attribut LDAP stockant la date et l'heure d'expiration du mot de " +"passe actuel." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Par défaut : krbPasswordExpiration" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 -msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre " +"contient le nom d'un attribut LDAP stockant la date d'expiration du compte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 -msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "Par défaut : accountExpires" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre " +"contient le nom d'un attribut LDAP stockant le champ de bits de contrôle du " +"compte utilisateur." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "Par défaut : userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=rhds ou équivalent, ce " +"paramètre détermine si l'accès est autorisé ou non." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" +msgstr "Par défaut : nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " +"détermine si l'accès est autorisé ou non." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "Par défaut : loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " +"détermine jusqu'à quand l'accès est autorisé." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " +"détermine les heures des jours dans la semaine pendant lesquelles l'accès " +"est autorisé." -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "Par défaut : loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" +"L'attribut LDAP contenant le nom du principal d'utilisateur (UPN) Kerberos " +"de l'utilisateur." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Par défaut : krbPrincipalName" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" +"Liste séparée par des virgules des attributs LDAP que SSSD va demander en " +"plus des attributs utilisateur habituels." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" +"La liste ne peut contenir que des noms d'attributs LDAP, ou des tuples " +"séparés par des virgules de nom d'attribut de cache et nom d'attribut LDAP. " +"Dans le cas où seul le nom d'un attribut LDAP est indiqué, l'attribut est " +"enregistré tel quel dans le cache. L'utilisation d'un nom d'attribut SSSD " +"peut être nécessaire pour les environnements configurant plusieurs domaines " +"SSSD utilisant des schémas LDAP différents." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" +"Veuillez noter que plusieurs noms d'attributs sont réservés par SSSD, dont " +"l'attribut <quote>name</quote>. SSSD émettrait une erreur si l'un des noms " +"d'attributs réservés est utilisé par un nom d'attribut supplémentaire." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" +"Enregistrer l'attribut LDAP <quote>telephoneNumber</quote> en tant que " +"<quote>telephoneNumber</quote> dans le cache." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" +"Enregistrer l'attribut LDAP <quote>telephoneNumber</quote> en tant que " +"<quote>phone</quote> dans le cache." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (chaîne)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "L'attribut LDAP qui contient les clés publiques SSH de l'utilisateur." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" +msgstr "Par défaut : sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "L'attribut LDAP correspondant au nom complet de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" +"L'attribut LDAP énumérant les groupes auquel appartient un utilisateur." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "Par défaut : memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" +"Lorsque access_provider=ldap et ldap_access_order=authorized_service, SSSD " +"utilise la présence de l'attribut authorizedService dans l'entrée LDAP de " +"l'utilisateur pour déterminer les autorisations d'accès." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" +"Le refus explicite (!svc) est résolu en premier. Ensuite, SSSD cherche une " +"autorisation explicite (svc) et enfin allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" +"Noter que l'option de configuration ldap_access_order <emphasis>doit</" +"emphasis> inclure <quote>authorized_service</quote> de façon à permettre à " +"l'option ldap_user_authorized_service de fonctionner." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "Par défaut : authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" +"Si access_provider=ldap et ldap_access_order=host, SSSD va utiliser la " +"présence de l'attribut host dans l'entrée LDAP de l'utilisateur pour " +"déterminer les autorisations d'accès." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" +"Le refus explicite (!host) est résolu en premier. SSSD recherche ensuite les " +"autorisations explicites (host) et enfin toutes les autorisations (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" +"Noter que l'option de configuration ldap_access_order <emphasis>doit</" +"emphasis> inclure <quote>host</quote> de façon à permettre à l'option " +"ldap_user_authorized_host de fonctionner." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "Par défaut : host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "La classe d'objet d'une entrée de groupe dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Par défaut : posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "L'attribut LDAP correspondant au nom du groupe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "L'attribut LDAP correspondant à l'identifiant de groupe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "L'attribut LDAP contenant les noms des membres du groupe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Par défaut : memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"L'attribut LDAP qui contient l'objectSID d'un objet de groupe LDAP. Ceci " +"n'est habituellement nécessaire que pour les serveurs Active Directory." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 #, fuzzy -#| msgid "" -#| "This manual page describes the configuration of the AD provider for " -#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " -#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " -#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> manual page." +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -"Cette page de manuel décrit la configuration du fournisseur AD pour " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Pour une référence détaillée sur la syntaxe, cf. la section " -"<quote>FORMAT DE FICHIER</quote> de la page de manuel <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"L'attribut LDAP qui contient une valeur entière indiquant le type de groupe " +"voire d'autres indicateurs." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" +"Cet attribut est actuellement utilisé uniquement par le fournisseur AD pour " +"déterminer si un groupe est un groupe de domaine local et doit être filtré " +"hors des domaines approuvés." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (entier)" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id,max_id (entier)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "La classe d'objet d'une entrée de netgroup dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" +"Pour un fournisseur IPA, ipa_netgroup_object_class doit être utilisé à la " +"place." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Par défaut : 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "Par défaut : nisNetgroup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (entier)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 -msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "L'attribut LDAP correspondant au nom du netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" +"Dans le fournisseur IPA, ipa_netgroup_name doit être utilisé à la place." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (chaîne)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Par défaut : 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "L'attribut LDAP contenant les noms des membres du netgroup." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" +"Dans le fournisseur IPA, ipa_netgroup_member doit être utilisé à la place." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "Par défaut : memberNisNetgroup" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (chaîne)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" +"L'attribut LDAP contenant les triplets (hôte, utilisateur, domaine) d'un " +"netgroup." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "Cette option n'est pas disponible dans le fournisseur IPA." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Par défaut : nisNetgroupTriple" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (chaîne)" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "Par défaut : ipService" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap -msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap -msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "SECTIONS DE SERVICES" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." +msgstr "La classe d'objet d'une entrée de service LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" +"L'attribut LDAP qui contient le nom des attributs de service et de leurs " +"alias." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "L'attribut LDAP qui contient le port géré par ce service." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "Par défaut : ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." +msgstr "L'attribut LDAP qui contient les protocoles compris par ce service." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "Par défaut : ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "La classe d'objet d'une entrée de règle de sudo dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "Par défaut : sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "L'attribut LDAP qui correspond au nom de la règle de sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "L'attribut LDAP qui correspond au nom de la commande." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "Par défaut : sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" +"L'attribut LDAP qui correspond au nom d'hôte (ou adresse IP de l'hôte, " +"réseau IP de l'hôte ou netgroup de l'hôte)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "Par défaut : sudoHost" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" +"L'attribut LDAP qui correspond au nom d'utilisateur (ou UID, le nom du " +"groupe ou netgroup de l'utilisateur)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "Par défaut : sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "L'attribut LDAP qui correspond aux options sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "Par défaut : sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" +"L'attribut LDAP qui correspond aux commandes peuvent être exécutées sous le " +"nom d'utilisateur." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "Par défaut : sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" +"L'attribut LDAP qui correspond au nom du groupe ou GID du groupe sous lequel " +"les commandes seront être exécutées." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "Par défaut : sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" +"L'attribut LDAP qui correspond à la date/heure de début pour laquelle la " +"règle sudo est valide." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "Par défaut : sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" +"L'attribut LDAP qui correspond à la date/heure d'expiration, après quoi la " +"règle sudo ne sera plus valide." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "Par défaut : sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "L'attribut LDAP qui correspond à l'index de tri de la règle." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "Par défaut : sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "OPTIONS AUTOFS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" +"La classe d'objet d'une entrée de table de montage automatique dans LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." +msgstr "Le nom d'une entrée de table de montage automatique dans LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" +"La clé d'une entrée de montage automatique dans LDAP. L'entrée correspond " +"généralement à un point de montage." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (string)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> @@ -18534,3 +18901,17 @@ msgstr "" #~ msgid "Default: homeDirectory" #~ msgstr "Par défaut : homeDirectory" + +#~ msgid "ldap_group_type (integer)" +#~ msgstr "ldap_group_type (entier)" + +#~ msgid "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#~ msgstr "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" diff --git a/src/man/po/ja.po b/src/man/po/ja.po index e5c209a0547..5231f970bbf 100644 --- a/src/man/po/ja.po +++ b/src/man/po/ja.po @@ -11,7 +11,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2019-05-28 11:45+0000\n" "Last-Translator: Keiko Moriguchi <kemorigu@redhat.com>\n" "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" @@ -34,7 +34,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "SSSD マニュアル ページ" @@ -80,7 +80,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "概要" @@ -150,7 +150,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -159,7 +159,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "ファイル形式および変換" @@ -320,12 +320,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "初期値: true" @@ -342,19 +342,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "初期値: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -377,8 +381,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "初期値: 10" @@ -393,7 +397,7 @@ msgid "The [sssd] section" msgstr "[sssd] セクション" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "セクションのパラメーター" @@ -443,12 +447,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -457,7 +461,7 @@ msgstr "" "める前に試行する回数です。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "初期値: 3" @@ -477,7 +481,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (文字列)" @@ -497,12 +501,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -513,39 +517,39 @@ msgstr "" "manvolnum> </citerefentry> 互換形式。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "ユーザー名" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "SSSD 設定ファイルにおいて指定されるドメイン名。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -562,16 +566,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (論理値)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD は、内部 DNS リゾルバーを更新する必要となるときを認識するために、resolv." "conf の状態を監視します。初期状態では、このために inotify を使用しようとしま" @@ -579,7 +602,7 @@ msgstr "" "フォールバックします。" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -590,7 +613,7 @@ msgstr "" "です" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -599,7 +622,7 @@ msgstr "" "トフォームにおいては偽です。" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -608,12 +631,12 @@ msgstr "" "ません。これらのプラットフォームにおいては、ポーリングが常に使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -622,7 +645,7 @@ msgstr "" "クトリーです。" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -631,7 +654,7 @@ msgstr "" "よう SSSD に指示する、特別な値 __LIBKRB5_DEFAULTS__ を受け付けます。" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -640,12 +663,12 @@ msgstr "" "ければ __LIBKRB5_DEFAULTS__ です)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -658,17 +681,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -678,7 +701,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -691,23 +714,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "初期値: 設定されません" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -717,7 +740,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -726,22 +749,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -749,69 +772,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "初期値: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -819,19 +861,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -839,24 +881,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -865,7 +907,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -873,8 +915,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -882,68 +938,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -954,7 +1010,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -971,7 +1027,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -993,12 +1049,12 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "サービスセクション" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1010,22 +1066,22 @@ msgstr "" "ば、NSS サービスは <quote>[nss]</quote> セクションです" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "サービス設定の全体オプション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "これらのオプションはすべてのサービスを設定するために使用できます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1035,17 +1091,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1055,18 +1111,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "初期値: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1074,24 +1130,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1099,12 +1155,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1116,30 +1172,30 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "初期値: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "NSS 設定オプション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1147,12 +1203,12 @@ msgstr "" "きます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1161,17 +1217,17 @@ msgstr "" "要求)。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "初期値: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1182,7 +1238,7 @@ msgstr "" "す。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1197,7 +1253,7 @@ msgstr "" "とをブロックする必要がありません。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1210,17 +1266,17 @@ msgstr "" "(0 はこの機能を無効にします)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "初期値: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1231,17 +1287,17 @@ msgstr "" "せ)をキャッシュする秒数を指定します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "初期値: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1249,17 +1305,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1268,7 +1324,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1277,17 +1333,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "初期値: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (論理値)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1295,12 +1351,12 @@ msgstr "" "ションを偽に設定します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1309,7 +1365,7 @@ msgstr "" "ホームディレクトリーの標準テンプレートを設定します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1317,7 +1373,7 @@ msgstr "" "同じです。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1327,23 +1383,23 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "初期値: 設定なし (ホームディレクトリーの設定がない場合は代替なし)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1351,17 +1407,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "初期値: 設定なし (SSSD は LDAP から取得された値を使用します)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" @@ -1369,13 +1425,13 @@ msgstr "" "す:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" "1. シェルが <quote>/etc/shells</quote> に存在すると、それが使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." @@ -1384,7 +1440,7 @@ msgstr "" "ば、shell_fallback パラメーターの値を使用します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." @@ -1393,12 +1449,12 @@ msgstr "" "ば、nologin シェルが使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1406,12 +1462,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "シェルの空文字列は libc にそのまま渡されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." @@ -1421,27 +1477,27 @@ msgstr "" "ます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "初期値: 設定されません。ユーザーシェルが自動的に使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "これらのシェルのインスタンスをすべて shell_fallback に置き換えます" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" @@ -1449,74 +1505,74 @@ msgstr "" "す。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "初期値: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1527,48 +1583,48 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "このオプションはドメインごとに設定できます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "PAM 設定オプション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1577,12 +1633,12 @@ msgstr "" "ために使用できます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1591,17 +1647,17 @@ msgstr "" "ラインログインの最終成功からの日数)です。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "初期値: 0 (無制限)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1609,12 +1665,12 @@ msgstr "" "認証プロバイダーがオフラインの場合、ログイン試行の失敗が許容される回数です。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1623,7 +1679,7 @@ msgstr "" "渡される分単位の時間です。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1634,17 +1690,17 @@ msgstr "" "効にできます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "初期値: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1653,42 +1709,42 @@ msgstr "" "きいほどメッセージが表示されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "現在 sssd は以下の値をサポートします:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis>: 何もメッセージを表示しない" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis>: 重要なメッセージのみを表示する" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis>: 情報レベルのメッセージを表示する" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "<emphasis>3</emphasis>: すべてのメッセージとデバッグ情報を表示する" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "初期値: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1697,61 +1753,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1761,7 +1817,7 @@ msgstr "" "されるよう、SSSD は直ちにキャッシュされた識別情報を更新しようとします。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1774,17 +1830,17 @@ msgstr "" "アプリケーションごとに)制御します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "パスワードの期限が切れる前に N 日間警告を表示します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1794,31 +1850,31 @@ msgstr "" "ことに注意してください。この情報がなければ、sssd は警告を表示します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "初期値: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1828,75 +1884,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "初期値: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1904,19 +1960,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1924,12 +1980,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1937,77 +1993,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "初期値: 偽" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2015,7 +2071,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2027,63 +2083,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2091,12 +2147,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2107,7 +2163,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2115,7 +2171,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2123,7 +2179,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2132,12 +2188,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "SUDO 設定オプション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2148,12 +2204,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (論理値)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." @@ -2162,12 +2218,12 @@ msgstr "" "を評価するかしないかです。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2177,22 +2233,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "Autofs 設定オプション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "これらのオプションが autofs サービスを設定するために使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2203,51 +2259,51 @@ msgstr "" "ヒットする秒数を指定します。" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "SSH 設定オプション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "これらのオプションは SSH サービスを設定するために使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (論理値)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "初期値: 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2256,24 +2312,53 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set, i.e. FAST is not used." +msgid "Default: not set, all found rules are used" +msgstr "初期値: 設定されません、つまり FAST が使用されません。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2284,7 +2369,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2295,24 +2380,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2320,12 +2405,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2334,24 +2419,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2361,66 +2446,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2428,17 +2513,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2446,7 +2531,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2454,22 +2539,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "ドメインセクション" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2478,14 +2563,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2494,31 +2579,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id,max_id (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2527,7 +2612,7 @@ msgstr "" "トリーを含む場合、それは無視されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2539,24 +2624,24 @@ msgstr "" "バーに対して、範囲内にあるものは予期されたものとして報告されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "初期値: min_id は 1, max_id は 0 (無制限)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2565,29 +2650,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = ユーザーとグループが列挙されます" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = このドメインに対して列挙しません" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "初期値: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2601,7 +2686,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -2610,7 +2695,7 @@ msgstr "" "れが完了するまで結果を返しません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2623,39 +2708,39 @@ msgstr "" "てください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2664,12 +2749,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -2678,7 +2763,7 @@ msgstr "" "数です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2689,17 +2774,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "初期値: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" @@ -2708,19 +2793,19 @@ msgstr "" "考える秒数です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "初期値: entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" @@ -2729,12 +2814,12 @@ msgstr "" "考える秒数です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" @@ -2743,12 +2828,12 @@ msgstr "" "有効であると考える秒数です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" @@ -2757,55 +2842,55 @@ msgstr "" "考える秒数です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2814,45 +2899,45 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "初期値: 0 (無効)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" "ユーザーのクレディンシャルがローカル LDB キャッシュにキャッシュされるかどうか" "を決めます" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" "ユーザーのクレディンシャルが、平文ではなく SHA512 ハッシュで保存されます" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2860,24 +2945,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2889,17 +2974,17 @@ msgstr "" "offline_credentials_expiration と同等以上でなければいけません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "初期値: 0 (無制限)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2908,17 +2993,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "初期値: 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" @@ -2926,18 +3011,18 @@ msgstr "" "ダーは次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2945,7 +3030,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2956,8 +3041,8 @@ msgstr "" "manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2970,8 +3055,8 @@ msgstr "" "い。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2982,12 +3067,12 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." @@ -2996,7 +3081,7 @@ msgstr "" "名形式により整形されたように) を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3009,7 +3094,7 @@ msgstr "" "んが、<command>getent passwd test@LOCAL</command> は見つけられます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3017,22 +3102,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3044,7 +3129,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3052,12 +3137,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3066,7 +3151,7 @@ msgstr "" "ダーは次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3077,7 +3162,7 @@ msgstr "" "manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3088,24 +3173,24 @@ msgstr "" "manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" "<quote>proxy</quote> はいくつかの他の PAM ターゲットに認証を中継します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "<quote>local</quote>: ローカルユーザー向け SSSD 内部プロバイダー" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "<quote>none</quote> は明示的に認証を無効化します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3114,12 +3199,12 @@ msgstr "" "ならば、それが使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3130,7 +3215,7 @@ msgstr "" "えます)。内部の特別プロバイダーは次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." @@ -3139,12 +3224,12 @@ msgstr "" "ロバイダーのみアクセスが許可されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "<quote>deny</quote> は常にアクセスを拒否します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3157,7 +3242,7 @@ msgstr "" "citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3165,22 +3250,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "初期値: <quote>permit</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3189,7 +3274,7 @@ msgstr "" "パスワード変更プロバイダーは次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3197,7 +3282,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3208,7 +3293,7 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" @@ -3216,12 +3301,12 @@ msgstr "" "します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "<quote>none</quote> は明示的にパスワードの変更を無効化します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3230,19 +3315,19 @@ msgstr "" "うことができるならば、それが使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" "ドメインに使用される SUDO プロバイダーです。サポートされる SUDO プロバイダー" "は次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3253,33 +3338,33 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry> を参照します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "<quote>none</quote> は SUDO を明示的に無効化します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" "初期値: <quote>id_provider</quote> の値が設定されていると使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3290,7 +3375,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3299,12 +3384,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3312,7 +3397,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3320,31 +3405,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3352,7 +3437,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3361,17 +3446,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "<quote>none</quote> はサブドメインの取り出しを明示的に無効化します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3379,37 +3464,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" @@ -3417,7 +3502,7 @@ msgstr "" "プロバイダーは次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3428,7 +3513,7 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3439,7 +3524,7 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3447,17 +3532,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "<quote>none</quote> は明示的に autofs を無効にします。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" @@ -3466,7 +3551,7 @@ msgstr "" "hostid プロバイダーは次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3477,12 +3562,12 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "<quote>none</quote> は明示的に hostid を無効にします。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3492,7 +3577,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3501,29 +3586,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "username@domain.name" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "domain\\username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3534,7 +3619,7 @@ msgstr "" "everything after that\" に解釈されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3544,17 +3629,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "初期値: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -3563,46 +3648,46 @@ msgstr "" "します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "サポートする値:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" "ipv4_first: IPv4 アドレスの検索を試行します。失敗すると IPv6 を試行します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" "ipv4_only: ホスト名を IPv4 アドレスに名前解決することのみを試行します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" "ipv6_first: IPv6 アドレスの検索を試行します。失敗すると IPv4 を試行します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" "ipv6_only: ホスト名を IPv6 アドレスに名前解決することのみを試行します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "初期値: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3611,25 +3696,25 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "初期値: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -3638,52 +3723,52 @@ msgstr "" "イン部分を指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "初期値: マシンのホスト名のドメイン部分を使用します" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "プライマリー GID の値を指定されたもので上書きします。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3691,7 +3776,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3700,17 +3785,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3718,34 +3803,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3753,32 +3838,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "サブドメインのフラット (NetBIOS) 名。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3788,35 +3873,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" "値は <emphasis>override_homedir</emphasis> オプションにより上書きできます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "初期値: <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3825,19 +3910,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3845,24 +3930,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3871,24 +3956,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3898,14 +3983,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3913,21 +3998,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3935,7 +4020,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3944,7 +4029,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3953,7 +4038,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3964,17 +4049,17 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "中継するプロキシターゲット PAM です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -3983,12 +4068,12 @@ msgstr "" "をここに追加する必要があります。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3999,12 +4084,12 @@ msgstr "" "_nss_files_getpwent です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4013,12 +4098,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4026,7 +4111,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4035,12 +4120,12 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4057,7 +4142,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4065,17 +4150,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4084,7 +4169,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4094,7 +4179,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4114,12 +4199,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "ローカルドメインのセクション" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4130,27 +4215,27 @@ msgstr "" "メインに対する設定を含みます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "SSSD ユーザー空間ツールを用いて作成されたユーザーの初期シェルです。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "初期値: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4159,17 +4244,17 @@ msgstr "" "ホームディレクトリーとして使用します。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "初期値: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (論理値)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." @@ -4178,17 +4263,17 @@ msgstr "" "す。コマンドラインにおいて上書きできます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "初期値: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (論理値)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." @@ -4197,12 +4282,12 @@ msgstr "" "す。コマンドラインにおいて上書きできます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (整数)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4213,17 +4298,17 @@ msgstr "" "manvolnum> </citerefentry> により使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "初期値: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4236,17 +4321,17 @@ msgstr "" "を含む、スケルトンディレクトリーです。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "初期値: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4257,17 +4342,17 @@ msgstr "" "が使用されます。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "初期値: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (文字列)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4278,17 +4363,17 @@ msgstr "" "せん。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "初期値: なし、コマンドを実行しません" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4299,69 +4384,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4374,7 +4459,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4382,7 +4467,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4391,55 +4476,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4448,17 +4533,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4466,26 +4551,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4494,17 +4579,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4514,7 +4599,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4523,59 +4608,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4583,14 +4668,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4598,7 +4683,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4606,12 +4691,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4665,7 +4750,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4674,7 +4759,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4682,7 +4767,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4693,7 +4778,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4707,7 +4792,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4775,12 +4860,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "設定オプション" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4790,17 +4875,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "URI の形式は RFC 2732 に決められている形式と一致しなければいけません:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<host>[:port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" @@ -4808,17 +4893,17 @@ msgstr "" "す。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "例: ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4827,29 +4912,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "サービス discovery ldap_chpass_dns_service_name を有効にするには、設定する必" "要があります。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "初期値: 空、つまり ldap_uri が使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "LDAP ユーザー操作を実行するために使用される初期ベース DN です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" @@ -4857,17 +4942,17 @@ msgstr "" "SSSD 1.7.0 以降、SSSD は次の構文を使用して複数の検索ベースをサポートします:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "範囲は \"base\", \"onelevel\" または \"subtree\" のどれかです。" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" @@ -4875,14 +4960,14 @@ msgstr "" "フィルターは http://www.ietf.org/rfc/rfc2254.txt により指定されたような有効" "な LDAP 検索フィルターである必要があります。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "例:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -4891,7 +4976,7 @@ msgstr "" "ldap_search_base = dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -4900,7 +4985,7 @@ msgstr "" "(host=thishost)?dc=example.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4909,7 +4994,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4920,12 +5005,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4933,32 +5018,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4969,37 +5054,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "初期値: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5008,57 +5093,57 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "LDAP ユーザー操作を実行するために使用される初期バインド DN です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "初期バインド DN の認証トークンの形式です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "現在 2 つのメカニズムがサポートされます:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "初期値: password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5067,11297 +5152,11573 @@ msgstr "" "在サポートされます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "LDAP にあるユーザーエントリーのオブジェクトクラスです。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "初期値: posixAccount" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "ユーザーのログイン名に対応する LDAP の属性です。" +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" +"いくつかのディレクトリーサーバー、たとえば Active Directory、は小文字のレルム" +"を転送しません。それにより、認証が失敗します。もし大文字のレルムを使用したい" +"場合、このオプションを 0 以外に設定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." -msgstr "ユーザーの ID に対応する LDAP の属性です。" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "初期値: uidNumber" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"SSSD が列挙レコードのキャッシュを更新する前に待つ必要がある秒数を指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (文字列)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." -msgstr "ユーザーのプライマリーグループ ID に対応する LDAP の属性です。" +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"使用していないエントリー(メンバーのいないグループやログインしたことがない" +"ユーザーなど)に対してキャッシュを確認して、保存領域を節約するためにそれらを" +"削除する間隔を決めます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "初期値: gidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" +"ldap_schema が入れ子グループ (例: RFC2307bis) をサポートするスキーマ形式に設" +"定されていると、このオプションが入れ子 SSSD がしたがうレベルを制御します。こ" +"のオプションは RFC2307 スキーマにおいて効果がありません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (文字列)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "初期値: 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "ユーザーの gecos 項目に対応する LDAP の属性です。" +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "初期値: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (文字列)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." -msgstr "ユーザーのホームディレクトリーの名前を含む LDAP の属性です。" +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" +"オプションです。ホストオブジェクトの検索ベースとして与えられた文字列を使用し" +"ます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" +"複数の検索ベースを設定することの詳細は <quote>ldap_search_base</quote> を参照" +"してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." -msgstr "ユーザーの初期シェルのパスを含む LDAP の属性です。" +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "初期値: <emphasis>ldap_search_base</emphasis> の値" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "初期値: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" +"注: このオプションは SSSD の将来のバージョンにおいて変更される可能性がありま" +"す。特定の種類の検索のために一連のタイムアウトによりある時点に置き換えられる" +"かもしれません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (文字列)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" -"LDAP ユーザーオブジェクトの objectSID を含む LDAP 属性です。これは通常 " -"ActiveDirectory サーバーに対してのみ必要です。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (文字列)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "親オブジェクトの最終変更のタイムスタンプを含む LDAP 属性です。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "初期値: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"<citerefentry> <refentrytitle>connect</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> に続けて <citerefentry> <refentrytitle>poll</" +"refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/<citerefentry> " +"<refentrytitle>select</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> が未使用を返した後のタイムアウト(秒単位)を指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (文字列)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" -"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> の対応部分(最終パスワード変更日)に対応する LDAP 属性の名前を" -"含みます。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "初期値: shadowLastChange" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (文字列)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> の対応部分(最小パスワード期限)に対応する LDAP 属性の名前を含" -"みます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "初期値: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "初期値: 900 (15 分)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (文字列)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> の対応部分(最大パスワード期限)に対応する LDAP 属性の名前を含" -"みます。" +"1 回の要求で LDAP から取得するレコード数を指定します。いくつかの LDAP サー" +"バーは 1 要求あたりの最大数の制限を強制します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "初期値: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "初期値: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (文字列)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> の対応部分(パスワード警告期間)に対応する LDAP 属性の名前を含" -"みます。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "初期値: shadowWarning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (文字列)" +"LDAP ページング制御を無効にします。LDAP サーバーがその RootDSE において LDAP " +"ページング制御をサポートするが、有効化されていない、もしくは正しく動作しない" +"ことを報告する場合に、このオプションが使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> の対応部分(パスワード無効期間)に対応する LDAP 属性の名前を含" -"みます。" +"例: サーバーにページング制御モジュールがインストールされているが、RootDSE に" +"おいて有効化されていないと報告され、それを使用できない OpenLDAP サーバーで" +"す。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "初期値: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"例: 389 DS は単一の接続において同時に 1 つのページ制御のみをサポートします。" +"負荷の高いクライアントにおいては、いくつかの要求が拒否される結果になる可能性" +"があります。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (文字列)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." -msgstr "" -"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> の対応部分(アカウント失効日)に対応する LDAP 属性の名前を含み" -"ます。" +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." +msgstr "Active Directory の範囲の取得を無効化します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "初期値: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (文字列)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"ldap_pwd_policy=mit_kerberos を使用しているとき、このパラメーターは Kerberos " -"の最終パスワード変更日時を保存する LDAP 属性の名前を含みます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "初期値: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (文字列)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"ldap_pwd_policy=mit_kerberos を使用しているとき、このパラメーターは現在のパス" -"ワード失効日時を保存する LDAP 属性の名前を含みます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "初期値: krbPasswordExpiration" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (文字列)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" -"ldap_account_expire_policy=ad を使用するとき、このパラメーターはアカウントの" -"失効日時を保存する LDAP 属性の名前を含みます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "初期値: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (文字列)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" -"ldap_account_expire_policy=ad を使用するとき、このパラメーターはユーザーアカ" -"ウントの制御ビット項目を保存する LDAP 属性の名前を含みます。" +"もしあれば、 TLS セッションにおいてサーバー証明書において実行するためにチェッ" +"クするものを指定します。以下の値のうち 1 つを指定できます:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "初期値: userAccountControl" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (文字列)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = クライアントがすべてのサーバー証明書を要求または" +"確認しません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" -"ldap_account_expire_policy=rhds または同等のものを使用するとき、このパラメー" -"ターがアクセスが許可されるかされないかを決定します。" +"<emphasis>allow</emphasis> = サーバー証明書が要求されます。証明書が提供されな" +"ければ、セッションが通常通り進められます。不正な証明書が提供されると、それは" +"無視され、セッションが通常通り進められます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "初期値: nsAccountLock" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (文字列)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = サーバー証明書が要求されます。証明書が提供されなけ" +"れば、セッションが通常通り進められます。不正な証明書が提供されると、セッショ" +"ンが直ちに終了します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" -"ldap_account_expire_policy=nds を使用するとき、アクセスが許可されるかされない" -"かをこの属性が決定します。" +"<emphasis>demand</emphasis> = サーバー証明書が要求されます。証明書が提供され" +"なければ、もしくは不正な証明書が提供されれば、セッションが直ちに終了します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "初期値: loginDisabled" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (文字列)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = <quote>demand</quote> と同じです" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." -msgstr "" -"ldap_account_expire_policy=nds を使用しているとき、この属性はデータアクセスが" -"いつまで許可されるのかを決定します。" +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "初期値: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (文字列)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" -"ldap_account_expire_policy=nds を使用しているとき、この属性はアクセスが許可さ" -"れるときの一週間の日の時間を決定します。" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> が認識するすべての認証局に対する証明" +"書を含むファイルを指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "初期値: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"初期値: OpenLDAP の初期値の使用、一般的に <filename>/etc/openldap/ldap.conf</" +"filename> にあります" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (文字列)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "ユーザーの Kerberos User Principal Name (UPN) を含む LDAP 属性です。" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"個別のファイルに CA 証明書を含むディレクトリーのパスを指定します。一般的に" +"ファイル名は '.0' で終わる証明書のハッシュである必要があります。利用可能なら" +"ば、<command>cacertdir_rehash</command> は正しい名前を作成するために使用でき" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "初期値: krbPrincipalName" +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "クライアントのキーに対する証明書を含むファイルを指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "" +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." -msgstr "" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "クライアントのキーを含むファイルを指定します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:741 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" +"チャネルを保護するために <systemitem class=\"protocol\">tls</systemitem> も使" +"用する必要がある id_provider 接続を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" +"この機能は現在 ActiveDirectory objectSID マッピングのみサポートします。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (文字列)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." -msgstr "ユーザーの SSH 公開鍵を含む LDAP 属性です。" +#: sssd-ldap.5.xml:789 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (論理値)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:810 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" -"いくつかのディレクトリーサーバー、たとえば Active Directory、は小文字のレルム" -"を転送しません。それにより、認証が失敗します。もし大文字のレルムを使用したい" -"場合、このオプションを 0 以外に設定します。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:814 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"SSSD が列挙レコードのキャッシュを更新する前に待つ必要がある秒数を指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (整数)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -"使用していないエントリー(メンバーのいないグループやログインしたことがない" -"ユーザーなど)に対してキャッシュを確認して、保存領域を節約するためにそれらを" -"削除する間隔を決めます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:833 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" +msgstr "初期値: host/hostname@REALM" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (文字列)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "ユーザーの完全名に対応する LDAP 属性です。" +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "初期値: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "初期値: krb5_realm の値" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (文字列)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." -msgstr "ユーザーのグループメンバーを一覧にする LDAP 属性です。" +#: sssd-ldap.5.xml:877 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"真に設定されていると、 LDAP ライブラリーは SASL バインド中にホスト名を正規化" +"するために逆引きを実行します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "初期値: memberOf" +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "初期値: false;" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (文字列)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 -msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" -"もし access_provider=ldap かつ ldap_access_order=authorized_service ならば、" -"SSSD はアクセス権限を決定するために、ユーザーの LDAP エントリーにある " -"authorizedService 属性を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" -"明示的な拒否 (!svc) が始めに解決されます。次に SSSD は明示的な許可 (svc) を検" -"索します。最後にすべて許可 (*) を検索します。" +"初期値: システムのキーテーブル、通常 <filename>/etc/krb5.keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:904 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (整数)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:919 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "初期値: authorizedService" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "初期値: 86400 (24 時間)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (文字列)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"access_provider=ldap かつ ldap_access_order=host ならば、 SSSD はアクセス権限" -"を決めるために、ユーザーの LDAP エントリーにあるホスト属性の存在を使用しま" -"す。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" -"明示的な拒否 (!host) がまず解決されます。次に SSSD が明示的な許可 (host) を検" -"索します。最後にすべて許可 (*) が検索されます。" +"KDC または kpasswd サーバーに対してサービス検索を使用するとき、SSSD はまずプ" +"ロトコルとして _udp を指定する DNS エントリーを検索して、何も見つからなけれ" +"ば _tcp にフォールバックします。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "初期値: host" +"このオプションは以前の SSSD において <quote>krb5_kdcip</quote> という名前でし" +"た。古い名前がしばらく認められる間、ユーザーは代わりに <quote>krb5_server</" +"quote> を使用するよう設定ファイルを移行することが推奨されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 -msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 -msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." -msgstr "" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" +"LDAP サーバーに接続するとき、ホストのプリンシパルが正規化されるかどうかを指定" +"します。この機能は MIT Kerberos >= 1.7 で利用可能です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" -msgstr "" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" +"位置情報プラグインの詳細は <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> マニュアルページを参照ください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" +"クライアント側においてパスワード期限切れを評価するためのポリシーを選択しま" +"す。以下の値が許容されます:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1022 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" +"<emphasis>none</emphasis> - クライアント側において評価しません。このオプショ" +"ンはサーバー側のパスワードポリシーを無効にできません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (文字列)" +"<emphasis>shadow</emphasis> - パスワードが失効したかを評価するために " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> 形式の属性を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "LDAP にあるグループエントリーのオブジェクトクラスです。" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> - パスワードが期限切れしているかを決定する" +"ために MIT Kerberos により使用される属性を使用します。パスワードが変更される" +"とき、これらの属性を更新するために chpass_provider=krb5 を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "初期値: posixGroup" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (文字列)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "グループ名に対応する LDAP 属性です。" +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "自動参照追跡が有効化されるかを指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (文字列)" +"OpenLDAP バージョン 2.4.13 およびそれ以降とともにコンパイルされているとき、 " +"sssd のみが参照追跡をサポートすることに注意してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "グループの ID に対応する LDAP 属性です。" +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (文字列)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "グループのメンバーの名前を含む LDAP の属性です。" +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"サービス検索が有効にされているときに使用するサービスの名前を指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "初期値: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "初期値: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" -msgstr "" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" +"サービス検索が有効にされているときに、パスワード変更を許可する LDAP サーバー" +"を検索するために使用するサービスの名前を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (文字列)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1106 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" -"LDAP グループオブジェクトの objectSID を含む LDAP 属性です。これは通常 " -"ActiveDirectory サーバーに対してのみ必要です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (文字列)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "例:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1148 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1153 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "初期値: 空白" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" +"このオプションを使用すると、アクセス制御属性のクライアント側評価が有効になり" +"ます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" +"必ずサーバー側のアクセス制御を使用することが推奨されることに注意してくださ" +"い。つまり、パスワードが正しいときさえ、適切なエラーコードでバインド要求を拒" +"否します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (整数)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "以下の値が許可されます:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1184 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" -"ldap_schema が入れ子グループ (例: RFC2307bis) をサポートするスキーマ形式に設" -"定されていると、このオプションが入れ子 SSSD がしたがうレベルを制御します。こ" -"のオプションは RFC2307 スキーマにおいて効果がありません。" +"<emphasis>shadow</emphasis>: アカウントが失効しているかを決めるために " +"ldap_user_shadow_expire の値を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1189 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1196 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "初期値: 2" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: アクセスが許可されるかされないかを確認するために " +"ldap_ns_account_lock の値を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1202 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" +"<emphasis>nds</emphasis>: アクセスが許可されるかを確認するために the values " +"of ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled および " +"ldap_user_nds_login_expiration_time の値が使用されます。どの値もなければ、ア" +"クセスが許可されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (文字列)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。" +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"アクセス制御オプションのカンマ区切り一覧です。許可される値は次のとおりです:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: ldap_access_filter を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -"IPA プロバイダーにおいては ipa_netgroup_object_class が代わりに使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "初期値: nisNetgroup" +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "ネットワークグループ名に対応する LDAP 属性です。" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: ldap_account_expire_policy を使用します" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." -msgstr "IPA プロバイダーにおいては ipa_netgroup_name が代わりに使用されます。" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." -msgstr "ネットワークグループのメンバーの名前を含む LDAP 属性です。" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" -"IPA プロバイダーにおいては ipa_netgroup_member が代わりに使用されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "初期値: memberNisNetgroup" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis>: アクセス権を決定するために " +"authorizedService 属性を使用します" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis>: アクセス権を決めるために host 属性を使用します" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1308 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -"ネットワークグループの三つ組(ホスト、ユーザー、ドメイン)を含む LDAP 属性で" -"す。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." -msgstr "このオプションは IPA プロバイダーにおいて利用可能ではありません。" +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "初期値: nisNetgroupTriple" +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "初期値: filter" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "値が複数使用されていると設定エラーになることに注意してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "初期値: ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" -msgstr "" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1350 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" +"検索を実行するときにどのように参照解決を実行するかを指定します。以下のオプ" +"ションが許容されます:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "" +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis>: エイリアスが参照解決されません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" +"<emphasis>searching</emphasis>: エイリアスはベースオブジェクトの下位に参照解" +"決されますが、検索のベースオブジェクトの位置を探すときはされません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" +"<emphasis>finding</emphasis>: エイリアスは検索のベースオブジェクトの位置を探" +"すときのみ参照解決されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" +"<emphasis>always</emphasis>: エイリアスは検索のベースオブジェクトを検索すると" +"きも位置を検索するときも参照解決されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" +"初期値: 空白(LDAP クライアントライブラリにより <emphasis>never</emphasis> と" +"して取り扱われます)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -"オプションです。ホストオブジェクトの検索ベースとして与えられた文字列を使用し" -"ます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1389 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -"複数の検索ベースを設定することの詳細は <quote>ldap_search_base</quote> を参照" -"してください。" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "初期値: <emphasis>ldap_search_base</emphasis> の値" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." -msgstr "LDAP にあるサービスエントリーのオブジェクトクラスです。" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"SSSD ドメインに適用するすべての全体設定オプションを LDAP ドメインに適用しま" +"す。完全な詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ドメインセ" +"クション</quote> を参照してください。 <placeholder type=\"variablelist\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (文字列)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "SUDO オプション" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." -msgstr "サービス属性の名前とそのエイリアスを含む LDAP 属性です。" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." -msgstr "このサービスにより管理されるポートを含む LDAP 属性です。" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "初期値: ipServicePort" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (文字列)" +#: sssd-ldap.5.xml:1449 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1454 msgid "" -"The LDAP attribute that contains the protocols understood by this service." -msgstr "このサービスにより認識されるプロトコルを含む LDAP 属性です。" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"値は <emphasis>ldap_sudo_smart_refresh_interval</emphasis> より大きい必要があ" +"ります" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "初期値: ipServiceProtocol" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (文字列)" +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "初期値: 21600 (6 時間)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (整数)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1474 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" -"注: このオプションは SSSD の将来のバージョンにおいて変更される可能性がありま" -"す。特定の種類の検索のために一連のタイムアウトによりある時点に置き換えられる" -"かもしれません。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (整数)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" -"<citerefentry> <refentrytitle>connect</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> に続けて <citerefentry> <refentrytitle>poll</" -"refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/<citerefentry> " -"<refentrytitle>select</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> が未使用を返した後のタイムアウト(秒単位)を指定します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (整数)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" +"ルールをフィルターするために使用されるホスト名または完全修飾ドメイン名の空白" +"区切り一覧です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (整数)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" +"<emphasis>ldap_sudo_use_host_filter</emphasis> が <emphasis>false</emphasis> " +"ならば、このオプションは効果を持ちません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "初期値: 900 (15 分)" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" +msgstr "初期値: 指定なし" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (整数)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1536 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -"1 回の要求で LDAP から取得するレコード数を指定します。いくつかの LDAP サー" -"バーは 1 要求あたりの最大数の制限を強制します。" +"ルールをフィルターするために使用される、IPv4 または IPv6 ホスト/ネットワーク" +"アドレスの空白区切り一覧です。" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "初期値: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"このオプションが空白ならば、SSSD は自動的にアドレスを検索しようとします。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (論理値)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1559 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"LDAP ページング制御を無効にします。LDAP サーバーがその RootDSE において LDAP " -"ページング制御をサポートするが、有効化されていない、もしくは正しく動作しない" -"ことを報告する場合に、このオプションが使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1577 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"例: サーバーにページング制御モジュールがインストールされているが、RootDSE に" -"おいて有効化されていないと報告され、それを使用できない OpenLDAP サーバーで" -"す。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -"例: 389 DS は単一の接続において同時に 1 つのページ制御のみをサポートします。" -"負荷の高いクライアントにおいては、いくつかの要求が拒否される結果になる可能性" -"があります。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (論理値)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"このマニュアルページは属性名マッピングのみを説明します。 sudo に関連する属性" +"セマンティックの詳細な説明は <citerefentry> <refentrytitle>sudoers.ldap</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してください" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "Active Directory の範囲の取得を無効化します。" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "AUTOFS オプション" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (整数)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "高度なオプション" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (整数)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (文字列)" +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" -msgstr "" -"もしあれば、 TLS セッションにおいてサーバー証明書において実行するためにチェッ" -"クするものを指定します。以下の値のうち 1 つを指定できます:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -"<emphasis>never</emphasis> = クライアントがすべてのサーバー証明書を要求または" -"確認しません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 -msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." -msgstr "" -"<emphasis>allow</emphasis> = サーバー証明書が要求されます。証明書が提供されな" -"ければ、セッションが通常通り進められます。不正な証明書が提供されると、それは" -"無視され、セッションが通常通り進められます。" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "例" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -"<emphasis>try</emphasis> = サーバー証明書が要求されます。証明書が提供されなけ" -"れば、セッションが通常通り進められます。不正な証明書が提供されると、セッショ" -"ンが直ちに終了します。" +"以下の例は、SSSD が正しく設定され、LDAP が <replaceable>[domains]</" +"replaceable> セクションにあるドメインのどれかに設定されていると仮定していま" +"す。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"<emphasis>demand</emphasis> = サーバー証明書が要求されます。証明書が提供され" -"なければ、もしくは不正な証明書が提供されれば、セッションが直ちに終了します。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> = <quote>demand</quote> と同じです" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "初期値: hard" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (文字列)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> が認識するすべての認証局に対する証明" -"書を含むファイルを指定します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"初期値: OpenLDAP の初期値の使用、一般的に <filename>/etc/openldap/ldap.conf</" -"filename> にあります" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (文字列)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "注記" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -"個別のファイルに CA 証明書を含むディレクトリーのパスを指定します。一般的に" -"ファイル名は '.0' で終わる証明書のハッシュである必要があります。利用可能なら" -"ば、<command>cacertdir_rehash</command> は正しい名前を作成するために使用でき" -"ます。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." -msgstr "クライアントのキーに対する証明書を含むファイルを指定します。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (文字列)" +"このマニュアルページにある設定オプションのいくつかの説明は、OpenLDAP 2.4 ディ" +"ストリビューションから <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページに基" +"づいています。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "クライアントのキーを含むファイルを指定します。" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (文字列)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "SSSD の PAM モジュール" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (論理値)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -"チャネルを保護するために <systemitem class=\"protocol\">tls</systemitem> も使" -"用する必要がある id_provider 接続を指定します。" +"<command>pam_sss.so</command> は System Security Services daemon (SSSD) への " +"PAM インターフェースです。エラーと結果は <command>syslog(3)</command> を通し" +"て LOG_AUTHPRIV ファシリティでログ記録されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (論理値)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "不明なユーザーのログメッセージを抑制します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." -msgstr "" -"この機能は現在 ActiveDirectory objectSID マッピングのみサポートします。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" +"<option>forward_pass</option> が設定されていると、他の PAM モジュールが使用す" +"るために、入力されたパスワードがスタックに置かれます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (文字列)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" +"引数 use_first_pass は強制的にモジュールが前にスタックされたモジュールのパス" +"ワードを使用して、ユーザーに入力させません。パスワードが何も利用可能ではな" +"い、またはパスワードが適切でなければ、ユーザーがアクセスを拒否されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" +"パスワードを変更するとき、モジュールが強制的に新しいパスワードを、前にスタッ" +"クされたパスワードモジュールに設定します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (文字列)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" +"指定されていると、認証に失敗した場合にパスワードをあと N 回ユーザーに問い合わ" +"せます。初期値は 0 です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" +"このオプションは、アプリケーションが呼び出す PAM が自身においてユーザーダイア" +"ログを処理すると仮定して動作しません。典型的な例は " +"<option>PasswordAuthentication</option> を用いた <command>sshd</command> で" +"す。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "初期値: host/hostname@REALM" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (文字列)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "初期値: krb5_realm の値" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (論理値)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -"真に設定されていると、 LDAP ライブラリーは SASL バインド中にホスト名を正規化" -"するために逆引きを実行します。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "初期値: false;" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -"初期値: システムのキーテーブル、通常 <filename>/etc/krb5.keytab</filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (論理値)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (整数)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "初期値: 86400 (24 時間)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -"KDC または kpasswd サーバーに対してサービス検索を使用するとき、SSSD はまずプ" -"ロトコルとして _udp を指定する DNS エントリーを検索して、何も見つからなけれ" -"ば _tcp にフォールバックします。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -"このオプションは以前の SSSD において <quote>krb5_kdcip</quote> という名前でし" -"た。古い名前がしばらく認められる間、ユーザーは代わりに <quote>krb5_server</" -"quote> を使用するよう設定ファイルを移行することが推奨されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (文字列)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" -msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (論理値)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 +msgid "" +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -"LDAP サーバーに接続するとき、ホストのプリンシパルが正規化されるかどうかを指定" -"します。この機能は MIT Kerberos >= 1.7 で利用可能です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (論理値)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -"位置情報プラグインの詳細は <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry> マニュアルページを参照ください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (文字列)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "提供されるモジュール形式" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -"クライアント側においてパスワード期限切れを評価するためのポリシーを選択しま" -"す。以下の値が許容されます:" +"すべてのモジュール形式 (<option>account</option>, <option>auth</option>, " +"<option>password</option> および <option>session</option>) が提供されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -"<emphasis>none</emphasis> - クライアント側において評価しません。このオプショ" -"ンはサーバー側のパスワードポリシーを無効にできません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "ファイル" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"<emphasis>shadow</emphasis> - パスワードが失効したかを評価するために " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> 形式の属性を使用します。" +"対応する SSSD プロバイダーがパスワードリセットをサポートしないため、root によ" +"るパスワードリセットが失敗すると、それぞれのメッセージが表示されます。たとえ" +"ば、このメッセージはパスワードをリセットする方法に関する説明があります。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"<emphasis>mit_kerberos</emphasis> - パスワードが期限切れしているかを決定する" -"ために MIT Kerberos により使用される属性を使用します。パスワードが変更される" -"とき、これらの属性を更新するために chpass_provider=krb5 を使用します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" +"これらのファイルがディレクトリー <filename>/etc/sssd/customize/DOMAIN_NAME/</" +"filename> において検索されます。一致するファイルがなければ、一般的なメッセー" +"ジが表示されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (論理値)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." -msgstr "自動参照追跡が有効化されるかを指定します。" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -"OpenLDAP バージョン 2.4.13 およびそれ以降とともにコンパイルされているとき、 " -"sssd のみが参照追跡をサポートすることに注意してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (文字列)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 +msgid "" +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -"サービス検索が有効にされているときに使用するサービスの名前を指定します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "初期値: ldap" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 -msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -"サービス検索が有効にされているときに、パスワード変更を許可する LDAP サーバー" -"を検索するために使用するサービスの名前を指定します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" -msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (論理値)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "例:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"すべての Kerberos 実装がプラグインの使用をサポートしているとは限りません。 " +"<command>sssd_krb5_locator_plugin</command> がシステムにおいて利用可能でなけ" +"れば、Kerberos の構築を反映するように /etc/krb5.conf を編集する必要がありま" +"す。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" +"環境変数 SSSD_KRB5_LOCATOR_DEBUG に何らかの値が設定されていると、デバッグメッ" +"セージが標準エラーに送られます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "初期値: 空白" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (文字列)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "SSSD の 'simple' アクセス制御プロバイダーの設定ファイルです。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -"このオプションを使用すると、アクセス制御属性のクライアント側評価が有効になり" -"ます。" +"このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対して簡単なアクセス制御の設定を説" +"明しています。詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ファイル形" +"式</quote> セクションを参照してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -"必ずサーバー側のアクセス制御を使用することが推奨されることに注意してくださ" -"い。つまり、パスワードが正しいときさえ、適切なエラーコードでバインド要求を拒" -"否します。" +"シンプルアクセスプロバイダーは、ユーザー名またはグループ名のアクセスまたは拒" +"否の一覧に基づいてアクセスを許可または拒否します。以下の例を適用します:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "以下の値が許可されます:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "すべての一覧が空白ならば、アクセスが認められます" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -"<emphasis>shadow</emphasis>: アカウントが失効しているかを決めるために " -"ldap_user_shadow_expire の値を使用します。" +"何らかの一覧が提供されていると、許可(allow)、拒否(deny)の順に評価されま" +"す。拒否ルールに一致するすべてのものは、許可ルールに一致するすべてのものを更" +"新することを意味します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" +"\"allow\" 一覧が提供されていると、すべてのユーザーはこの一覧に表れなければ拒" +"否されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: アクセスが許可されるかされないかを確認するために " -"ldap_ns_account_lock の値を使用します。" +"\"deny\" 一覧のみが提供されていると、ユーザーがこの一覧に表れない限り、すべて" +"のユーザーがアクセスを許可されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 -msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." -msgstr "" -"<emphasis>nds</emphasis>: アクセスが許可されるかを確認するために the values " -"of ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled および " -"ldap_user_nds_login_expiration_time の値が使用されます。どの値もなければ、ア" -"クセスが許可されます。" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." -msgstr "" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "ログインが許可されたユーザーのカンマ区切り一覧です。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (文字列)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" -msgstr "" -"アクセス制御オプションのカンマ区切り一覧です。許可される値は次のとおりです:" +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "アクセスが明示的に拒否されたユーザーのカンマ区切り一覧です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filter</emphasis>: ldap_access_filter を使用します" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#: sssd-simple.5.xml:100 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" +"ログインが許可されたグループのカンマ区切り一覧です。この SSSD ドメインの中の" +"グループのみに適用されます。ローカルグループは評価されません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 -msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" +"アクセスが明示的に拒否されたグループのカンマ区切り一覧です。この SSSD ドメイ" +"ンの中のグループのみに適用されます。ローカルグループは評価されません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "<emphasis>expire</emphasis>: ldap_account_expire_policy を使用します" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"SSSD ドメインの設定に関する詳細は <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの " +"<quote>ドメインセクション</quote> のセクションを参照してください。 " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" +"simple_allow_users と simple_deny_users がどちらも定義されると、設定エラーに" +"なることに注意してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" +"以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</" +"replaceable> セクションにあるドメインの 1 つであると仮定します。この例はアク" +"セスプロバイダー固有の簡単なオプションのみを示します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" -msgstr "" -"<emphasis>authorized_service</emphasis>: アクセス権を決定するために " -"authorizedService 属性を使用します" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -"<emphasis>host</emphasis>: アクセス権を決めるために host 属性を使用します" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 -msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "初期値: filter" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." -msgstr "値が複数使用されていると設定エラーになることに注意してください。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -"検索を実行するときにどのように参照解決を実行するかを指定します。以下のオプ" -"ションが許容されます:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." -msgstr "<emphasis>never</emphasis>: エイリアスが参照解決されません。" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -"<emphasis>searching</emphasis>: エイリアスはベースオブジェクトの下位に参照解" -"決されますが、検索のベースオブジェクトの位置を探すときはされません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -"<emphasis>finding</emphasis>: エイリアスは検索のベースオブジェクトの位置を探" -"すときのみ参照解決されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -"<emphasis>always</emphasis>: エイリアスは検索のベースオブジェクトを検索すると" -"きも位置を検索するときも参照解決されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -"初期値: 空白(LDAP クライアントライブラリにより <emphasis>never</emphasis> と" -"して取り扱われます)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (論理値)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -"SSSD ドメインに適用するすべての全体設定オプションを LDAP ドメインに適用しま" -"す。完全な詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ドメインセ" -"クション</quote> を参照してください。 <placeholder type=\"variablelist\" id=" -"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "SUDO オプション" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." -msgstr "LDAP にある sudo ルールエントリーのオブジェクトクラスです。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "初期値: sudoRole" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." -msgstr "sudo ルール名に対応する LDAP 属性です。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "コマンド名に対応する LDAP 属性です。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "初期値: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -"ホスト名(またはホスト IP アドレス、ホスト IP ネットワーク、ホストネットワー" -"クグループ)に対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "初期値: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 -msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -"ユーザー名(または UID、グループ名、ユーザーのネットワークグループ)に対応す" -"る LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "初期値: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." -msgstr "sudo オプションに対応する LDAP 属性です。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "初期値: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." -msgstr "コマンドを実行するユーザー名に対応する LDAP 属性です。" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "初期値: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -"コマンドを実行するグループ名またはグループの GID に対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "初期値: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 -msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." -msgstr "sudo ルールが有効になる開始日時に対応する LDAP 属性です。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "初期値: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -"sudo ルールが有効ではなくなった後に、期限切れとなる日時に対応する LDAP 属性で" -"す。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "初期値: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." -msgstr "ルールの並び替えインデックスに対応する LDAP 属性です。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "初期値: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (整数)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -"値は <emphasis>ldap_sudo_smart_refresh_interval</emphasis> より大きい必要があ" -"ります" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "初期値: 21600 (6 時間)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (整数)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (論理値)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -"ルールをフィルターするために使用されるホスト名または完全修飾ドメイン名の空白" -"区切り一覧です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -"<emphasis>ldap_sudo_use_host_filter</emphasis> が <emphasis>false</emphasis> " -"ならば、このオプションは効果を持ちません。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "初期値: 指定なし" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -"ルールをフィルターするために使用される、IPv4 または IPv6 ホスト/ネットワーク" -"アドレスの空白区切り一覧です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -"このオプションが空白ならば、SSSD は自動的にアドレスを検索しようとします。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "ldap_sudo_include_netgroups (論理値)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (論理値)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 -msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -"このマニュアルページは属性名マッピングのみを説明します。 sudo に関連する属性" -"セマンティックの詳細な説明は <citerefentry> <refentrytitle>sudoers.ldap</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してください" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "AUTOFS オプション" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." -msgstr "LDAP にある automount マップエントリーのオブジェクトクラスです。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." -msgstr "LDAP における automount のマップエントリーの名前です。" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 -msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 -msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"LDAP にある automount エントリーのキーです。エントリーは一般的にマウントポイ" -"ントと対応します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "高度なオプション" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "例" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -"以下の例は、SSSD が正しく設定され、LDAP が <replaceable>[domains]</" -"replaceable> セクションにあるドメインのどれかに設定されていると仮定していま" -"す。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "注記" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -"このマニュアルページにある設定オプションのいくつかの説明は、OpenLDAP 2.4 ディ" -"ストリビューションから <citerefentry> <refentrytitle>ldap.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページに基" -"づいています。" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "SSSD の PAM モジュール" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -"<command>pam_sss.so</command> は System Security Services daemon (SSSD) への " -"PAM インターフェースです。エラーと結果は <command>syslog(3)</command> を通し" -"て LOG_AUTHPRIV ファシリティでログ記録されます。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "不明なユーザーのログメッセージを抑制します。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -"<option>forward_pass</option> が設定されていると、他の PAM モジュールが使用す" -"るために、入力されたパスワードがスタックに置かれます。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -"引数 use_first_pass は強制的にモジュールが前にスタックされたモジュールのパス" -"ワードを使用して、ユーザーに入力させません。パスワードが何も利用可能ではな" -"い、またはパスワードが適切でなければ、ユーザーがアクセスを拒否されます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -"パスワードを変更するとき、モジュールが強制的に新しいパスワードを、前にスタッ" -"クされたパスワードモジュールに設定します。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -"指定されていると、認証に失敗した場合にパスワードをあと N 回ユーザーに問い合わ" -"せます。初期値は 0 です。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -"このオプションは、アプリケーションが呼び出す PAM が自身においてユーザーダイア" -"ログを処理すると仮定して動作しません。典型的な例は " -"<option>PasswordAuthentication</option> を用いた <command>sshd</command> で" -"す。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 -msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 -msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 -msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 -msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "提供されるモジュール形式" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"すべてのモジュール形式 (<option>account</option>, <option>auth</option>, " -"<option>password</option> および <option>session</option>) が提供されます。" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "ファイル" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -"対応する SSSD プロバイダーがパスワードリセットをサポートしないため、root によ" -"るパスワードリセットが失敗すると、それぞれのメッセージが表示されます。たとえ" -"ば、このメッセージはパスワードをリセットする方法に関する説明があります。" #. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#: sssd-ipa.5.xml:23 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対する IPA プロバイダーの設定を説" +"明しています。詳細な構文の参考資料は <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルペー" +"ジの <quote>ファイル形式</quote> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#: sssd-ipa.5.xml:36 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -"これらのファイルがディレクトリー <filename>/etc/sssd/customize/DOMAIN_NAME/</" -"filename> において検索されます。一致するファイルがなければ、一般的なメッセー" -"ジが表示されます。" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" +"IPA プロバイダーは IPA サーバーに接続するために使用されるバックエンドです。" +"(IPA サーバーに関する詳細は freeipa.org のウェブサイトを参照してください。)" +"このプロバイダーは、マシンが IPA ドメインに参加していて、設定がすでに全体的に" +"自己検索され、サーバーから直接取得されている必要があります。" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#: sssd-ipa.5.xml:57 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#: sssd-ipa.5.xml:62 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#: sssd-ipa.5.xml:67 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" +"IPA ドメインの名前を指定します。これはオプションです。提供されなければ、設定" +"ドメイン名が使用されます。" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (文字列)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -"すべての Kerberos 実装がプラグインの使用をサポートしているとは限りません。 " -"<command>sssd_krb5_locator_plugin</command> がシステムにおいて利用可能でなけ" -"れば、Kerberos の構築を反映するように /etc/krb5.conf を編集する必要がありま" -"す。" +"注: (RHEL5 のような) 古いシステムにおいて、この動作が正しく機能するためには、" +"デフォルトの Kerberos レルムが /etc/krb5.conf において正しく設定されている必" +"要があります" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -"環境変数 SSSD_KRB5_LOCATOR_DEBUG に何らかの値が設定されていると、デバッグメッ" -"セージが標準エラーに送られます。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "初期値: 1200 (秒)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" -msgstr "SSSD の 'simple' アクセス制御プロバイダーの設定ファイルです。" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (文字列)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -"このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> に対して簡単なアクセス制御の設定を説" -"明しています。詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ファイル形" -"式</quote> セクションを参照してください。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -"シンプルアクセスプロバイダーは、ユーザー名またはグループ名のアクセスまたは拒" -"否の一覧に基づいてアクセスを許可または拒否します。以下の例を適用します:" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "すべての一覧が空白ならば、アクセスが認められます" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -"何らかの一覧が提供されていると、許可(allow)、拒否(deny)の順に評価されま" -"す。拒否ルールに一致するすべてのものは、許可ルールに一致するすべてのものを更" -"新することを意味します。" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 -msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -"\"allow\" 一覧が提供されていると、すべてのユーザーはこの一覧に表れなければ拒" -"否されます。" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -"\"deny\" 一覧のみが提供されていると、ユーザーがこの一覧に表れない限り、すべて" -"のユーザーがアクセスを許可されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." -msgstr "ログインが許可されたユーザーのカンマ区切り一覧です。" +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (文字列)" +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." -msgstr "アクセスが明示的に拒否されたユーザーのカンマ区切り一覧です。" +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "DNS サイトの有効化 - 位置情報に基づいたサービス探索。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (文字列)" +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (整数)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#: sssd-ipa.5.xml:247 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -"ログインが許可されたグループのカンマ区切り一覧です。この SSSD ドメインの中の" -"グループのみに適用されます。ローカルグループは評価されません。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (文字列)" +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (論理値)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -"アクセスが明示的に拒否されたグループのカンマ区切り一覧です。この SSSD ドメイ" -"ンの中のグループのみに適用されます。ローカルグループは評価されません。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -"SSSD ドメインの設定に関する詳細は <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの " -"<quote>ドメインセクション</quote> のセクションを参照してください。 " -"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "初期値: False (無効)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" +"nsupdate ユーティリティが DNS サーバーと通信するために TCP を標準で使用するか" +"どうか。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -"simple_allow_users と simple_deny_users がどちらも定義されると、設定エラーに" -"なることに注意してください。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -"以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</" -"replaceable> セクションにあるドメインの 1 つであると仮定します。この例はアク" -"セスプロバイダー固有の簡単なオプションのみを示します。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 -msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 -msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "初期値: ベース DN を使用します" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 -msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" +"オプションです。与えられた文字列を HBAC 関連オブジェクトに対する検索ベースと" +"して使用します。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 -msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 -msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" +"オプションです。与えられた文字列を SELinux ユーザーマップに対する検索ベースと" +"して使用します。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" +"オプションです。信頼されたドメインに対する検索ベースとして、与えられた文字列" +"を使用します。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 -msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "初期値: <emphasis>cn=trusts,%basedn</emphasis> の値" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 -msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "初期値: <emphasis>cn=ad,cn=etc,%basedn</emphasis> の値" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" +"Kerberos レルムの名前です。これはオプションで、初期値は <quote>ipa_domain</" +"quote> の値です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" +"IPA において特別な意味を持つ Kerberos レルムの名前です。LDAP 操作を実行するた" +"めに使用するベース DN に変換されます。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "初期値: 5 (秒)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (整数)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (整数)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (論理値)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 -msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" +msgstr "この IPA クライアントが使用する automounter の場所です" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" +msgstr "初期値: \"default\" という名前の場所" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "初期値: cn" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:643 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#: sssd-ipa.5.xml:656 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#: sssd-ipa.5.xml:696 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" +"'subdomains_provider = ipa' オプションが sssd.conf のドメインのセクションに見" +"つかれば、IPA サブドメインプロバイダーが明示的に設定されます。すべてのサブド" +"メインのリクエストが必要に応じて IPA サーバーに送られます。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#: sssd-ipa.5.xml:775 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 -msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 -msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 -msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 -msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 -msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 -msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" +"以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</" +"replaceable> セクションにあるドメインの 1 つであることを仮定しています。この" +"例は IPA プロバイダー固有のオプションのみを示しています。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 -msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" +"Active Directory ドメインの名前を指定します。これはオプションです。指定されな" +"ければ、設定のドメイン名が使用されます。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" +"正しい動作のために、このオプションは Active Directory ドメインの長いバージョ" +"ンの小文字バージョンとして指定されます。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (string)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" +"オプションです。hostname(5) が Active Directory ドメインにおいて使用される完" +"全修飾名を反映しないマシンにおいてマシンに設定されるかもしれません。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" +"この項目はキーテーブルにおいて使用中のホストプリンシパルを決定するために使用" +"されます。キーテーブルが発行されたホスト名と一致する必要があります。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (論理値)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> に対する IPA プロバイダーの設定を説" -"明しています。詳細な構文の参考資料は <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルペー" -"ジの <quote>ファイル形式</quote> を参照してください。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -"IPA プロバイダーは IPA サーバーに接続するために使用されるバックエンドです。" -"(IPA サーバーに関する詳細は freeipa.org のウェブサイトを参照してください。)" -"このプロバイダーは、マシンが IPA ドメインに参加していて、設定がすでに全体的に" -"自己検索され、サーバーから直接取得されている必要があります。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (文字列)" +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:325 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -"IPA ドメインの名前を指定します。これはオプションです。提供されなければ、設定" -"ドメイン名が使用されます。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:333 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (文字列)" +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:350 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" -msgstr "dyndns_update (論理値)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:359 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#: sssd-ad.5.xml:367 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -"注: (RHEL5 のような) 古いシステムにおいて、この動作が正しく機能するためには、" -"デフォルトの Kerberos レルムが /etc/krb5.conf において正しく設定されている必" -"要があります" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:376 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" -msgstr "dyndns_ttl (整数)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "初期値: 1200 (秒)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "dyndns_iface (文字列)" +#: sssd-ad.5.xml:401 +msgid "" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:410 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:417 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 -msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" -msgstr "ipa_enable_dns_sites (論理値)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." -msgstr "DNS サイトの有効化 - 位置情報に基づいたサービス探索。" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:475 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" -msgstr "dyndns_refresh_interval (整数)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:495 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" -msgstr "dyndns_update_ptr (論理値)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:515 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:531 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "初期値: False (無効)" +#: sssd-ad.5.xml:549 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "dyndns_force_tcp (論理値)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:554 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"nsupdate ユーティリティが DNS サーバーと通信するために TCP を標準で使用するか" -"どうか。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:638 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:657 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#: sssd-ad.5.xml:663 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 -msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:697 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "初期値: ベース DN を使用します" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -"オプションです。与えられた文字列を HBAC 関連オブジェクトに対する検索ベースと" -"して使用します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" -"オプションです。与えられた文字列を SELinux ユーザーマップに対する検索ベースと" -"して使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (文字列)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:755 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -"オプションです。信頼されたドメインに対する検索ベースとして、与えられた文字列" -"を使用します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" -msgstr "初期値: <emphasis>cn=trusts,%basedn</emphasis> の値" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "初期値: <emphasis>cn=ad,cn=etc,%basedn</emphasis> の値" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:790 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -"Kerberos レルムの名前です。これはオプションで、初期値は <quote>ipa_domain</" -"quote> の値です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" -"IPA において特別な意味を持つ Kerberos レルムの名前です。LDAP 操作を実行するた" -"めに使用するベース DN に変換されます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:808 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#: sssd-ad.5.xml:826 msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:852 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "初期値: 5 (秒)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:857 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (整数)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:901 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (整数)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" -msgstr "ipa_server_mode (論理値)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 -msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:927 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 -msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 -msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" -msgstr "この IPA クライアントが使用する automounter の場所です" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" -msgstr "初期値: \"default\" という名前の場所" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:989 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1004 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" +msgstr "初期値: 3600 (秒)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "初期値: True" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" +"以下の例は SSSD が正しく設定され、example.com が <replaceable>[sssd]</" +"replaceable> セクションにあるドメインの一つであると仮定しています。この例は " +"AD プロバイダー固有のオプションのみ示してします。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "SSSD バックエンドを用いた sudo の設定法" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 -msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#: sssd-sudo.5.xml:38 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -"'subdomains_provider = ipa' オプションが sssd.conf のドメインのセクションに見" -"つかれば、IPA サブドメインプロバイダーが明示的に設定されます。すべてのサブド" -"メインのリクエストが必要に応じて IPA サーバーに送られます。" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd-sudo.5.xml:47 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 +#: sssd-sudo.5.xml:57 #, no-wrap -msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" -msgstr "" +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sssd-sudo.5.xml:61 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sssd-sudo.5.xml:70 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 -msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "sudo ルールを取得するよう SSSD を設定する方法" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"The following options can be set in a subdomain section on an IPA master:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "SUDO ルールキャッシュメカニズム" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sssd-sudo.5.xml:161 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -"以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</" -"replaceable> セクションにあるドメインの 1 つであることを仮定しています。この" -"例は IPA プロバイダー固有のオプションのみを示しています。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "keyword ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "ワイルドカード" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "netgroup (\"+netgroup\" の形式)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "このマシンのホスト名または完全修飾ドメイン名" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "このマシンの IP アドレスのどれか" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "ネットワークの IP アドレスのどれか (\"address/mask\" 形式)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "" +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sssd.8.xml:31 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" +"<command>SSSD</command> はリモートディレクトリーへのアクセスと認証メカニズム" +"を管理するための一組のデーモンを提供します。システムへの NSS と PAM インター" +"フェースを提供します。また、D-Bus インターフェースのように複数の異なるアカウ" +"ントソースに接続するための取り外し可能なバックエンドシステムを提供します。ク" +"ライアント監査、およびFreeIPA のようなプロジェクトに対するポリシーサービスを" +"提供する基礎となります。ローカルユーザーだけでなく拡張ユーザーデータを保存す" +"るためのより強靭なデータベースを提供します。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "<emphasis>1</emphasis>: デバッグメッセージに日時を追加します" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "<emphasis>0</emphasis>: デバッグメッセージで日時を無効にします" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" +"<emphasis>1</emphasis>: デバッグメッセージにミリ秒をタイムスタンプに追加しま" +"す" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "<emphasis>0</emphasis>: 日時でマイクロ秒を無効にします" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" +"デバッグ出力を標準エラーの代わりにファイルに送信します。初期状態で、ログファ" +"イルは <filename>/var/log/sssd</filename> に保存され、すべての SSSD サービス" +"とドメインに対して別々のログファイルがあります。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"ldap_id_mapping = False\n" -" " +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -"ldap_id_mapping = False\n" -" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -"Active Directory ドメインの名前を指定します。これはオプションです。指定されな" -"ければ、設定のドメイン名が使用されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -"正しい動作のために、このオプションは Active Directory ドメインの長いバージョ" -"ンの小文字バージョンとして指定されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "起動後にデーモンになります。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap -msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 -msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "フォアグラウンドで実行して、デーモンになりません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"非標準の設定ファイルを指定します。初期値は <filename>/etc/sssd/sssd.conf</" +"filename> です。設定ファイルの構文とオプションは <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> マニュアルページを参照してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (文字列)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 -msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." -msgstr "" -"オプションです。hostname(5) が Active Directory ドメインにおいて使用される完" -"全修飾名を反映しないマシンにおいてマシンに設定されるかもしれません。" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "バージョン番号を表示して終了します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "シグナル" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -"この項目はキーテーブルにおいて使用中のホストプリンシパルを決定するために使用" -"されます。キーテーブルが発行されたホスト名と一致する必要があります。" +"SSSD にすべての子プロセスを穏やかに停止するよう通知して、モニターをシャットダ" +"ウンします。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "ad_enable_dns_sites (論理値)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" +"SSSD が現在のデバッグファイルディスクリプターに書き込むことを止めて、それらを" +"閉じてから開きなおすよう指示します。これは logrotate のようなプログラムを用い" +"てログローテーションを促進することを意味します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +#| "debug messages will be sent to stderr." msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" +"環境変数 SSSD_KRB5_LOCATOR_DEBUG に何らかの値が設定されていると、デバッグメッ" +"セージが標準エラーに送られます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "平文パスワードをわかりにくくする" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" +"<command>sss_obfuscate</command> は、与えられたパスワードを人間が読みにくい形" +"式に変換して、SSSD 設定ファイルの適切なドメインセクションに置きます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" +"平文のパスワードは、標準入力から読み込まれます、または対話的に入力されます。" +"解読しにくくされたパスワードが指定された SSSD ドメインの " +"<quote>ldap_default_authtok</quote> パラメータに置かれます。また " +"<quote>ldap_default_authtok_type</quote> パラメーターが " +"<quote>obfuscated_password</quote> に設定されます。これらのパラメーターの詳細" +"は <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> を参照してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" +"パスワードをわかりにくくすることは、攻撃者がパスワードをリバースエンジニアリ" +"ングできるので <emphasis>実際にセキュリティの便益</emphasis> は提供されませ" +"ん。クライアントサイド証明書や GSSAPI のようなより良い認証機構を使用すること" +"を <emphasis>強く</emphasis> 推奨します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 -msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "解読しにくくするパスワードが標準入力から読み込まれます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" +"パスワードに使用する SSSD ドメインです。名前の初期値は <quote>default</" +"quote> です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "位置パラメーターにより指定された設定ファイルを読み込みます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 -msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "初期値: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 -msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "新しいユーザーを作成する" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" +"<command>sss_useradd</command> は、コマンドラインにおいて指定された値とシステ" +"ムの初期値を使用して、新しいユーザーを作成します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"ユーザーの UID を <replaceable>UID</replaceable> の値を設定します。与えられな" +"いと、自動的に選択されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" +"ユーザーを説明している任意のテキスト文字列です。しばしばユーザーの完全名の項" +"目として使用されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" +"ユーザーアカウントのホームディレクトリーです。初期値は <filename>/home</" +"filename> に <replaceable>LOGIN</replaceable> の名前を追加して、ホームディレ" +"クトリーとして使用します。 <replaceable>LOGIN</replaceable> の前につけるベー" +"スは sssd.conf において <quote>user_defaults/baseDirectory</quote> 設定で変更" +"できます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" +"ユーザーのログインシェルです。初期値は現在 <filename>/bin/bash</filename> で" +"す。初期値は sssd.conf において <quote>user_defaults/defaultShell</quote> で" +"変更できます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "このユーザーがメンバーである既存のユーザーの一覧です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" +"ユーザーのホームディレクトリーが存在しなければ、それを作成します。(-k オプ" +"ションまたは設定ファイルで定義できる)スケルトンディレクトリーにあるファイル" +"とディレクトリーがホームディレクトリーにコピーされます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " -msgstr "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "ユーザーのホームディレクトリーを作成しません。設定を上書きします。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" +"スケルトンディレクトリーです。ホームディレクトリーが <command>sss_useradd</" +"command> により作成されるとき、ユーザーのホームディレクトリーにコピーされる" +"ファイルとディレクトリーを含みます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" +"特殊ファイル (ブロックデバイス、キャラクターデバイス、名前付きパイプおよび " +"UNIX ソケット) はコピーされません。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" +"<option>-m</option> (または <option>--create-home</option>) オプションが指定" +"されたとき、またはホームディレクトリーの作成が設定において TRUE に設定されて" +"いる場合のみ、このオプションが有効です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" +"ユーザーがログインする際の SELinux ユーザーです。未指定の場合、システムの初期" +"値を使います。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対する Kerberos 5 認証バックエンド" +"の設定を説明しています。詳細な構文の参考資料は、<citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> マニュアルページの <quote>ファイル形式</quote> セクションを参照" +"してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" +"Kerberos 5 認証バックエンドは認証プロバイダーおよびパスワード変更プロバイダー" +"を含みます。正しく機能するためには識別プロダイバーと組み合わせて使用する必要" +"があります (たとえば、id_provider = ldap)。Kerberos 5 認証バックエンドにより" +"必要とされるいくつかの情報は、ユーザーの Kerberos プリンシパル名 (UPN) のよう" +"な、識別プロバイダーにより提供される必要があります。識別プロバイダーの設定は " +"UPN を指定するためのエントリーがある必要があります。これを設定する方法に関す" +"る詳細は適用可能な識別プロバイダーのマニュアルページを参照してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" +"このバックエンドは、ユーザーのホームディレクトリーにある .k5login ファイルに" +"基づいたアクセス制御を提供します。詳細は <citerefentry> <refentrytitle>." +"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してく" +"ださい。空の .k5login ファイルがあると、このユーザーに対するすべてのアクセス" +"が拒否されます。この機能を有効にするには、SSSD 設定において 'access_provider " +"= krb5' を使用します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" +"UPN が識別バックエンド <command>sssd</command> において利用できない場合は、形" +"式 <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable> " +"を使用して UPN を構築します。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:77 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" +"SSSD が接続したい AD サーバー(優先順)の IP アドレスまたはホスト名のカンマ区" +"切り一覧を指定します。フェールオーバーおよびサーバー冗長化に関する詳細は " +"<quote>FAILOVER</quote> セクションを参照してください。ポート番号(コロンの後" +"ろ)をオプションとして、アドレスやホスト名の後ろに付けることもできます。これ" +"が無ければ、サービス探索が有効になっています。詳細は <quote>サービス探索</" +"quote> のセクションを参照してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" -msgstr "" +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "Kerberos レルムの名前です。このオプションは指定する必要があります。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" -msgstr "" +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:116 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" +"パスワード変更サービスが KDC において実行されていなければ、代替サーバーがここ" +"で指定できます。オプションのポート番号が(コロンに続けて)アドレスまたはホス" +"ト名に追加できます。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:122 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" +"フェイルオーバーとサーバー冗長性に関する詳細は、<quote>フェイルオーバー</" +"quote>のセクションを参照してください。注:KDC に対する認証がまだ可能であるな" +"らば、たとえすべての kpasswd サーバーがなかったとしても、バックエンドをオフラ" +"インに切り替えないことに注意してください。" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" -msgstr "初期値: 3600 (秒)" +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "初期値: KDC を使用します" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (文字列)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:138 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "初期値: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "初期値: /tmp" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." -msgstr "" -"以下の例は SSSD が正しく設定され、example.com が <replaceable>[sssd]</" -"replaceable> セクションにあるドメインの一つであると仮定しています。この例は " -"AD プロバイダー固有のオプションのみ示してします。" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "ログイン名" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "ログイン UID" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "プリンシパル名" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "レルム名" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "ホームディレクトリー" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "SSSD クライアントのプロセス ID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "文字 '%'" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" -msgstr "SSSD バックエンドを用いた sudo の設定法" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (整数)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" +"オンライン認証またはパスワード変更要求が中止された後の秒単位のタイムアウトで" +"す。可能ならば、認証要求がオフラインで継続されます。" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (論理値)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" +"KDC から取得したクレディンシャルを検証するときに使用されるキーテーブルの場所" +"です。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "初期値: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "sudo ルールを取得するよう SSSD を設定する方法" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (文字列)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "秒は <emphasis>s</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "分は <emphasis>m</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "時間は <emphasis>h</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "日は <emphasis>d</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" +"注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に" +"指定したい場合、'1h30m' の代わりに '90m' を使用します。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "初期値: 設定されません、つまり TGT は更新可能ではありません" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" +"注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に" +"指定したい場合、'1h30m' の代わりに '90m' を使用してください。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" +"初期値: 設定されません、つまり KDC において設定されているチケット有効期間の初" +"期値です。" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "SUDO ルールキャッシュメカニズム" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (文字列)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" +"このオプションが設定されていない場合、または 0 に設定されている場合、自動更新" +"は無効になります。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" +"Kerberos の事前認証のために flexible authentication secure tunneling (FAST) " +"を有効化します。以下のオプションがサポートされます:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" +"<emphasis>never</emphasis> は FAST を使用します。このオプションを何も設定しな" +"いことと同等です。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" +"<emphasis>try</emphasis> は FAST を使用します。サーバーが FAST をサポートして" +"いなければ、FAST を使用せずに認証を続行します。" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "keyword ALL" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "ワイルドカード" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" -msgstr "netgroup (\"+netgroup\" の形式)" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" -msgstr "このマシンのホスト名または完全修飾ドメイン名" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" +"<emphasis>demand</emphasis> は FAST を使用します。サーバーが FAST を要求しな" +"ければ、認証が失敗します。" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" -msgstr "このマシンの IP アドレスのどれか" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "初期値: 設定されません、つまり FAST が使用されません。" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" -msgstr "ネットワークの IP アドレスのどれか (\"address/mask\" 形式)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "注: キーテーブルは FAST を使用する必要があります。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" +"注: SSSD は MIT Kerberos バージョン 1.8 およびそれ以降のみで FAST をサポート" +"します。SSSD が古いバージョンの MIT Kerberos を使用している場合、このオプショ" +"ンを使用すると設定エラーになります。" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (文字列)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "System Security Services Daemon" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "FAST に対して使用するサーバープリンシパルを指定します。" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"ホストとユーザーのプリンシパルが正規化されるかどうかを指定します。この機能は " +"MIT Kerberos 1.7 およびそれ以降で利用可能です。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 -msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -"<command>SSSD</command> はリモートディレクトリーへのアクセスと認証メカニズム" -"を管理するための一組のデーモンを提供します。システムへの NSS と PAM インター" -"フェースを提供します。また、D-Bus インターフェースのように複数の異なるアカウ" -"ントソースに接続するための取り外し可能なバックエンドシステムを提供します。ク" -"ライアント監査、およびFreeIPA のようなプロジェクトに対するポリシーサービスを" -"提供する基礎となります。ローカルユーザーだけでなく拡張ユーザーデータを保存す" -"るためのより強靭なデータベースを提供します。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" -msgstr "<emphasis>1</emphasis>: デバッグメッセージに日時を追加します" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" -msgstr "<emphasis>0</emphasis>: デバッグメッセージで日時を無効にします" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " +#| "more information on the locator plugin." msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -"<emphasis>1</emphasis>: デバッグメッセージにミリ秒をタイムスタンプに追加しま" -"す" +"位置情報プラグインの詳細は <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> マニュアルページを参照ください。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" -msgstr "<emphasis>0</emphasis>: 日時でマイクロ秒を無効にします" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (論理値)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -"デバッグ出力を標準エラーの代わりにファイルに送信します。初期状態で、ログファ" -"イルは <filename>/var/log/sssd</filename> に保存され、すべての SSSD サービス" -"とドメインに対して別々のログファイルがあります。" +"ユーザープリンシパルをエンタープライズプリンシパルとして取り扱うかどうかを指" +"定します。エンタープライズプリンシパルの詳細は RFC 6806 のセクション 5 を参照" +"してください。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"認証モジュール krb5 が SSSD ドメインにおいて使用されていると、以下のオプショ" +"ンを使用する必要があります。 SSSD ドメインの設定における詳細は " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> マニュアルページの <quote>ドメインセクション</" +"quote> を参照してください。 <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "起動後にデーモンになります。" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" +"以下の例は、SSSD が正しく設定され、FOO が <replaceable>[sssd]</replaceable> " +"セクションにあるドメインの 1 つであると仮定しています。この例は Kerberos 認証" +"の設定のみを示し、識別プロバイダーを何も含みません。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "フォアグラウンドで実行して、デーモンになりません。" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "新しいグループを作成する" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" -"非標準の設定ファイルを指定します。初期値は <filename>/etc/sssd/sssd.conf</" -"filename> です。設定ファイルの構文とオプションは <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> マニュアルページを参照してください。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" +"<command>sss_groupadd</command> が新しいグループを作成します。これらのグルー" +"プは POSIX グループと互換性があり、他のグループをメンバーとして含められる追加" +"機能と互換性があります。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_groupadd.8.xml:48 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" +"グループの GID を <replaceable>GID</replaceable> の値に設定します。与えられな" +"いと、自動的に選択されます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "バージョン番号を表示して終了します。" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "ユーザーアカウントを削除する" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "シグナル" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> はログイン名 <replaceable>LOGIN</replaceable> " +"により識別されるユーザーをシステムから削除します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#: sss_userdel.8.xml:48 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"SSSD にすべての子プロセスを穏やかに停止するよう通知して、モニターをシャットダ" -"ウンします。" +"ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクト" +"リーとユーザーのメールスプールとともに削除されます。設定が上書きされます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#: sss_userdel.8.xml:60 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"SSSD が現在のデバッグファイルディスクリプターに書き込むことを止めて、それらを" -"閉じてから開きなおすよう指示します。これは logrotate のようなプログラムを用い" -"てログローテーションを促進することを意味します。" +"ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクト" +"リーとユーザーのメールスプールとともに削除されません。設定が上書きされます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_userdel.8.xml:72 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" +"このオプションは、指定されたユーザーにより所有されていないものさえ、" +"<command>sss_userdel</command> がユーザーのホームディレクトリーとメールスプー" +"ルを削除するよう強制します。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "実際にユーザーを削除する前に、そのプロセスをすべて停止します。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "グループを削除する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#: sss_groupdel.8.xml:32 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" +"<command>sss_groupdel</command> は名前 <replaceable>GROUP</replaceable> によ" +"り識別されるグループをシステムから削除します。" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "平文パスワードをわかりにくくする" +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "グループのプロパティーを表示します" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_groupshow.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_groupshow.8.xml:32 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -"<command>sss_obfuscate</command> は、与えられたパスワードを人間が読みにくい形" -"式に変換して、SSSD 設定ファイルの適切なドメインセクションに置きます。" +"<command>sss_groupshow</command> はその名前 <replaceable>GROUP</replaceable> " +"により識別されるグループに関する情報を表示します。情報はグループ ID 番号、グ" +"ループのメンバーおよび親グループを含みます。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -"平文のパスワードは、標準入力から読み込まれます、または対話的に入力されます。" -"解読しにくくされたパスワードが指定された SSSD ドメインの " -"<quote>ldap_default_authtok</quote> パラメータに置かれます。また " -"<quote>ldap_default_authtok_type</quote> パラメーターが " -"<quote>obfuscated_password</quote> に設定されます。これらのパラメーターの詳細" -"は <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> を参照してください。" +"ツリー階層形式で間接的なグループメンバーも表示します。これは親グループの表示" +"にも影響を与えることに注意してください - <option>R</option> を指定しないと、" +"直接の親のみが表示されます。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "ユーザーアカウントを修正します" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#: sss_usermod.8.xml:32 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"パスワードをわかりにくくすることは、攻撃者がパスワードをリバースエンジニアリ" -"ングできるので <emphasis>実際にセキュリティの便益</emphasis> は提供されませ" -"ん。クライアントサイド証明書や GSSAPI のようなより良い認証機構を使用すること" -"を <emphasis>強く</emphasis> 推奨します。" +"<command>sss_usermod</command> は、コマンドラインにおいて指定された変更を反映" +"するために、 <replaceable>LOGIN</replaceable> により指定されたアカウントを変" +"更します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "ユーザーアカウントのホームディレクトリーです。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "ユーザーのログインシェルです。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"このユーザーを <replaceable>GROUPS</replaceable> パラメーターにより指定された" +"グループに追加します。 <replaceable>GROUPS</replaceable> パラメーターはグルー" +"プ名のカンマ区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "<replaceable>GROUPS</replaceable> " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." -msgstr "解読しにくくするパスワードが標準入力から読み込まれます。" +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "ユーザーアカウントをロックします。ユーザーはログインできなくなります。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "ユーザーアカウントのロックを解除します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "ユーザーのログインのための SELinux ユーザーです。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_usermod.8.xml:152 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"パスワードに使用する SSSD ドメインです。名前の初期値は <quote>default</" -"quote> です。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." -msgstr "位置パラメーターにより指定された設定ファイルを読み込みます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "初期値: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "キャッシュクリーンアップを実行する" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 -msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#: sss_cache.8.xml:21 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#: sss_cache.8.xml:31 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 -msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" -msgstr "" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." -msgstr "" +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "特定のユーザーを無効にします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 -msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" -msgstr "" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#: sss_cache.8.xml:68 msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" +"すべてのユーザーレコードを無効にします。このオプションも設定されていると、こ" +"れが特定のユーザーの無効化を上書きします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." -msgstr "" +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "特定のグループを無効にします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" -msgstr "" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#: sss_cache.8.xml:90 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" +"すべてのグループレコードを無効にします。このオプションも設定されていると、こ" +"れが特定のグループの無効化を上書きします。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "特定のネットワークグループを無効にします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" -msgstr "" +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:112 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" +"すべてのネットワークグループレコードを無効にします。このオプションが設定され" +"ていると、これが特定のネットワークグループの無効化を上書きします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:119 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." -msgstr "" +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "特定のサービスを無効化します。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_cache.8.xml:134 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" +"すべてのサービスレコードを無効にします。このオプションも設定されていると、こ" +"れが特定のサービスの無効化を上書きします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_cache.8.xml:141 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "特定の autofs マップを無効化します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#: sss_cache.8.xml:156 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" +"すべての autofs マップを無効化します。このオプションは特定のマップが設定され" +"ていても、その無効化を上書きします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sss_cache.8.xml:178 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_cache.8.xml:201 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "無効化プロセスを特定のドメインのみに制限します。" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "新しいユーザーを作成する" +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_debuglevel.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_debuglevel.8.xml:32 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -"<command>sss_useradd</command> は、コマンドラインにおいて指定された値とシステ" -"ムの初期値を使用して、新しいユーザーを作成します。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 -msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -"ユーザーの UID を <replaceable>UID</replaceable> の値を設定します。与えられな" -"いと、自動的に選択されます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" -"ユーザーを説明している任意のテキスト文字列です。しばしばユーザーの完全名の項" -"目として使用されます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +#: sss_seed.8.xml:46 msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." -msgstr "" -"ユーザーアカウントのホームディレクトリーです。初期値は <filename>/home</" -"filename> に <replaceable>LOGIN</replaceable> の名前を追加して、ホームディレ" -"クトリーとして使用します。 <replaceable>LOGIN</replaceable> の前につけるベー" -"スは sssd.conf において <quote>user_defaults/baseDirectory</quote> 設定で変更" -"できます。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#: sss_seed.8.xml:51 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" -"ユーザーのログインシェルです。初期値は現在 <filename>/bin/bash</filename> で" -"す。初期値は sssd.conf において <quote>user_defaults/defaultShell</quote> で" -"変更できます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#: sss_seed.8.xml:63 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "このユーザーがメンバーである既存のユーザーの一覧です。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." -msgstr "" -"ユーザーのホームディレクトリーが存在しなければ、それを作成します。(-k オプ" -"ションまたは設定ファイルで定義できる)スケルトンディレクトリーにあるファイル" -"とディレクトリーがホームディレクトリーにコピーされます。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." -msgstr "ユーザーのホームディレクトリーを作成しません。設定を上書きします。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#: sss_seed.8.xml:68 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "ユーザーの UID を <replaceable>UID</replaceable> に設定します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "ユーザーの GID を <replaceable>GID</replaceable> に設定します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" -"スケルトンディレクトリーです。ホームディレクトリーが <command>sss_useradd</" -"command> により作成されるとき、ユーザーのホームディレクトリーにコピーされる" -"ファイルとディレクトリーを含みます。" +"ユーザーのホームディレクトリーを <replaceable>HOME_DIR</replaceable> に設定し" +"ます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" -"特殊ファイル (ブロックデバイス、キャラクターデバイス、名前付きパイプおよび " -"UNIX ソケット) はコピーされません。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sss_seed.8.xml:140 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" -"<option>-m</option> (または <option>--create-home</option>) オプションが指定" -"されたとき、またはホームディレクトリーの作成が設定において TRUE に設定されて" -"いる場合のみ、このオプションが有効です。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +#: sss_seed.8.xml:148 msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#: sss_seed.8.xml:153 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -"ユーザーがログインする際の SELinux ユーザーです。未指定の場合、システムの初期" -"値を使います。" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -"このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> に対する Kerberos 5 認証バックエンド" -"の設定を説明しています。詳細な構文の参考資料は、<citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> マニュアルページの <quote>ファイル形式</quote> セクションを参照" -"してください。" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sssd-ifp.5.xml:23 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Kerberos 5 認証バックエンドは認証プロバイダーおよびパスワード変更プロバイダー" -"を含みます。正しく機能するためには識別プロダイバーと組み合わせて使用する必要" -"があります (たとえば、id_provider = ldap)。Kerberos 5 認証バックエンドにより" -"必要とされるいくつかの情報は、ユーザーの Kerberos プリンシパル名 (UPN) のよう" -"な、識別プロバイダーにより提供される必要があります。識別プロバイダーの設定は " -"UPN を指定するためのエントリーがある必要があります。これを設定する方法に関す" -"る詳細は適用可能な識別プロバイダーのマニュアルページを参照してください。" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#: sssd-ifp.5.xml:36 msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -"このバックエンドは、ユーザーのホームディレクトリーにある .k5login ファイルに" -"基づいたアクセス制御を提供します。詳細は <citerefentry> <refentrytitle>." -"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してく" -"ださい。空の .k5login ファイルがあると、このユーザーに対するすべてのアクセス" -"が拒否されます。この機能を有効にするには、SSSD 設定において 'access_provider " -"= krb5' を使用します。" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" -"UPN が識別バックエンド <command>sssd</command> において利用できない場合は、形" -"式 <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable> " -"を使用して UPN を構築します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -"SSSD が接続したい AD サーバー(優先順)の IP アドレスまたはホスト名のカンマ区" -"切り一覧を指定します。フェールオーバーおよびサーバー冗長化に関する詳細は " -"<quote>FAILOVER</quote> セクションを参照してください。ポート番号(コロンの後" -"ろ)をオプションとして、アドレスやホスト名の後ろに付けることもできます。これ" -"が無ければ、サービス探索が有効になっています。詳細は <quote>サービス探索</" -"quote> のセクションを参照してください。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 -msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." -msgstr "Kerberos レルムの名前です。このオプションは指定する必要があります。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (文字列)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -"パスワード変更サービスが KDC において実行されていなければ、代替サーバーがここ" -"で指定できます。オプションのポート番号が(コロンに続けて)アドレスまたはホス" -"ト名に追加できます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -"フェイルオーバーとサーバー冗長性に関する詳細は、<quote>フェイルオーバー</" -"quote>のセクションを参照してください。注:KDC に対する認証がまだ可能であるな" -"らば、たとえすべての kpasswd サーバーがなかったとしても、バックエンドをオフラ" -"インに切り替えないことに注意してください。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "初期値: KDC を使用します" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 -msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "初期値: /tmp" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (文字列)" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "ログイン名" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "ログイン UID" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "プリンシパル名" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "レルム名" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "ホームディレクトリー" +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" -msgstr "SSSD クライアントのプロセス ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "文字 '%'" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (整数)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -"オンライン認証またはパスワード変更要求が中止された後の秒単位のタイムアウトで" -"す。可能ならば、認証要求がオフラインで継続されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (論理値)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -"KDC から取得したクレディンシャルを検証するときに使用されるキーテーブルの場所" -"です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "初期値: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (論理値)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (文字列)" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "関連項目" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "秒は <emphasis>s</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "分は <emphasis>m</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "時間は <emphasis>h</emphasis>" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "日は <emphasis>d</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "OpenSSH 認可キーを取得する" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." -msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -"注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に" -"指定したい場合、'1h30m' の代わりに '90m' を使用します。" +"<command>sss_ssh_authorizedkeys</command> はユーザー <replaceable>USER</" +"replaceable> の SSH 公開鍵を取得して、 OpenSSH authorized_keys 形式に出力しま" +"す (詳細は <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> の <quote>AUTHORIZED_KEYS FILE FORMAT</quote> セク" +"ションを参照してください)。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" -msgstr "初期値: 設定されません、つまり TGT は更新可能ではありません" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (文字列)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." -msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -"注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に" -"指定したい場合、'1h30m' の代わりに '90m' を使用してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -"初期値: 設定されません、つまり KDC において設定されているチケット有効期間の初" -"期値です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" -msgstr "krb5_renew_interval (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -"このオプションが設定されていない場合、または 0 に設定されている場合、自動更新" -"は無効になります。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (文字列)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -"Kerberos の事前認証のために flexible authentication secure tunneling (FAST) " -"を有効化します。以下のオプションがサポートされます:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -"<emphasis>never</emphasis> は FAST を使用します。このオプションを何も設定しな" -"いことと同等です。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"<emphasis>try</emphasis> は FAST を使用します。サーバーが FAST をサポートして" -"いなければ、FAST を使用せずに認証を続行します。" +"SSSD ドメイン <replaceable>DOMAIN</replaceable> にあるユーザーの公開鍵を検索" +"します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "終了コード" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -"<emphasis>demand</emphasis> は FAST を使用します。サーバーが FAST を要求しな" -"ければ、認証が失敗します。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." -msgstr "初期値: 設定されません、つまり FAST が使用されません。" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." -msgstr "注: キーテーブルは FAST を使用する必要があります。" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "OpenSSH ホストキーを取得します" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -"注: SSSD は MIT Kerberos バージョン 1.8 およびそれ以降のみで FAST をサポート" -"します。SSSD が古いバージョンの MIT Kerberos を使用している場合、このオプショ" -"ンを使用すると設定エラーになります。" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (文字列)" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." -msgstr "FAST に対して使用するサーバープリンシパルを指定します。" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -"ホストとユーザーのプリンシパルが正規化されるかどうかを指定します。この機能は " -"MIT Kerberos 1.7 およびそれ以降で利用可能です。" +"<replaceable>PROXY_COMMAND</replaceable> が指定されていると、ソケットを開く代" +"わりにホストへの接続を作成するために使用されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> は <citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> 設定に対して以下のディレクティブを使" +"用することにより、ホストキー認証に <command>sss_ssh_knownhostsproxy</" +"command> を使用するために設定できます: <placeholder type=\"programlisting\" " +"id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for " -#| "more information on the locator plugin." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -"位置情報プラグインの詳細は <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry> マニュアルページを参照ください。" +"ホストに接続するためにポート <replaceable>PORT</replaceable> を使用します。初" +"期値ではポート 22 が使用されます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" +"SSSD ドメイン <replaceable>DOMAIN</replaceable> においてホスト公開鍵を検索し" +"ます。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" -msgstr "krb5_use_enterprise_principal (論理値)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -"ユーザープリンシパルをエンタープライズプリンシパルとして取り扱うかどうかを指" -"定します。エンタープライズプリンシパルの詳細は RFC 6806 のセクション 5 を参照" -"してください。" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -"認証モジュール krb5 が SSSD ドメインにおいて使用されていると、以下のオプショ" -"ンを使用する必要があります。 SSSD ドメインの設定における詳細は " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> マニュアルページの <quote>ドメインセクション</" -"quote> を参照してください。 <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: idmap_sss.8.xml:62 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -"以下の例は、SSSD が正しく設定され、FOO が <replaceable>[sssd]</replaceable> " -"セクションにあるドメインの 1 つであると仮定しています。この例は Kerberos 認証" -"の設定のみを示し、識別プロバイダーを何も含みません。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "新しいグループを作成する" +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#: sssctl.8.xml:21 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." -msgstr "" -"<command>sss_groupadd</command> が新しいグループを作成します。これらのグルー" -"プは POSIX グループと互換性があり、他のグループをメンバーとして含められる追加" -"機能と互換性があります。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#: sssctl.8.xml:32 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -"グループの GID を <replaceable>GID</replaceable> の値に設定します。与えられな" -"いと、自動的に選択されます。" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "ユーザーアカウントを削除する" +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-files.5.xml:36 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -"<command>sss_userdel</command> はログイン名 <replaceable>LOGIN</replaceable> " -"により識別されるユーザーをシステムから削除します。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" -msgstr "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクト" -"リーとユーザーのメールスプールとともに削除されます。設定が上書きされます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" -msgstr "<option>-R</option>,<option>--no-remove</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 +msgid "" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -"ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクト" -"リーとユーザーのメールスプールとともに削除されません。設定が上書きされます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" -msgstr "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"このオプションは、指定されたユーザーにより所有されていないものさえ、" -"<command>sss_userdel</command> がユーザーのホームディレクトリーとメールスプー" -"ルを削除するよう強制します。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" -msgstr "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "実際にユーザーを削除する前に、そのプロセスをすべて停止します。" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "グループを削除する" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-files.5.xml:143 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap +msgid "" +"passwd: sss files\n" +"group: sss files\n" msgstr "" -"<command>sss_groupdel</command> は名前 <replaceable>GROUP</replaceable> によ" -"り識別されるグループをシステムから削除します。" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" -msgstr "グループのプロパティーを表示します" +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-secrets.5.xml:36 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -"<command>sss_groupshow</command> はその名前 <replaceable>GROUP</replaceable> " -"により識別されるグループに関する情報を表示します。情報はグループ ID 番号、グ" -"ループのメンバーおよび親グループを含みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -"ツリー階層形式で間接的なグループメンバーも表示します。これは親グループの表示" -"にも影響を与えることに注意してください - <option>R</option> を指定しないと、" -"直接の親のみが表示されます。" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "ユーザーアカウントを修正します" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#: sssd-secrets.5.xml:61 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"<command>sss_usermod</command> は、コマンドラインにおいて指定された変更を反映" -"するために、 <replaceable>LOGIN</replaceable> により指定されたアカウントを変" -"更します。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "ユーザーアカウントのホームディレクトリーです。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "ユーザーのログインシェルです。" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -"このユーザーを <replaceable>GROUPS</replaceable> パラメーターにより指定された" -"グループに追加します。 <replaceable>GROUPS</replaceable> パラメーターはグルー" -"プ名のカンマ区切り一覧です。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." -msgstr "<replaceable>GROUPS</replaceable> " - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." -msgstr "ユーザーアカウントをロックします。ユーザーはログインできなくなります。" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "ユーザーアカウントのロックを解除します。" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." -msgstr "ユーザーのログインのための SELinux ユーザーです。" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 -msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" -msgstr "sss_cache" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" -msgstr "キャッシュクリーンアップを実行する" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" -msgstr "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "特定のユーザーを無効にします。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" -msgstr "<option>-U</option>,<option>--users</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 -msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" -"すべてのユーザーレコードを無効にします。このオプションも設定されていると、こ" -"れが特定のユーザーの無効化を上書きします。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "特定のグループを無効にします。" +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "<option>-G</option>,<option>--groups</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 -msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" -"すべてのグループレコードを無効にします。このオプションも設定されていると、こ" -"れが特定のグループの無効化を上書きします。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." -msgstr "特定のネットワークグループを無効にします。" +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" -msgstr "<option>-N</option>,<option>--netgroups</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 -msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -"すべてのネットワークグループレコードを無効にします。このオプションが設定され" -"ていると、これが特定のネットワークグループの無効化を上書きします。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "特定のサービスを無効化します。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" -msgstr "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -"すべてのサービスレコードを無効にします。このオプションも設定されていると、こ" -"れが特定のサービスの無効化を上書きします。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." -msgstr "特定の autofs マップを無効化します。" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" -msgstr "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:260 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -"すべての autofs マップを無効化します。このオプションは特定のマップが設定され" -"ていても、その無効化を上書きします。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 -msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:278 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 -msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." -msgstr "無効化プロセスを特定のドメインのみに制限します。" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" -msgstr "sss_debuglevel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" -msgstr "" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#: sssd-secrets.5.xml:310 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 -msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "sss_seed" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 -msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#: sssd-secrets.5.xml:335 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#: sssd-secrets.5.xml:347 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "ユーザーの UID を <replaceable>UID</replaceable> に設定します。" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "ユーザーの GID を <replaceable>GID</replaceable> に設定します。" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#: sssd-secrets.5.xml:359 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -"ユーザーのホームディレクトリーを <replaceable>HOME_DIR</replaceable> に設定し" -"ます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#: sssd-secrets.5.xml:372 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 -msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#: sssd-secrets.5.xml:385 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 -msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-secrets.5.xml:424 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 -msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#: sssd-secrets.5.xml:519 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 +#: sssd-secrets.5.xml:529 #, no-wrap msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-secrets.5.xml:526 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-secrets.5.xml:535 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-secrets.5.xml:565 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#: sssd-session-recording.5.xml:23 msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#: sssd-session-recording.5.xml:41 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 -msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "関連項目" - #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#: sssd-session-recording.5.xml:146 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" -msgstr "1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" -msgstr "OpenSSH 認可キーを取得する" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#: sssd-kcm.8.xml:23 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -"<command>sss_ssh_authorizedkeys</command> はユーザー <replaceable>USER</" -"replaceable> の SSH 公開鍵を取得して、 OpenSSH authorized_keys 形式に出力しま" -"す (詳細は <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> の <quote>AUTHORIZED_KEYS FILE FORMAT</quote> セク" -"ションを参照してください)。" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#: sssd-kcm.8.xml:31 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:67 msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:76 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -"SSSD ドメイン <replaceable>DOMAIN</replaceable> にあるユーザーの公開鍵を検索" -"します。" #. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" -msgstr "終了コード" +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "sss_ssh_knownhostsproxy" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "OpenSSH ホストキーを取得します" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " +msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#: sssd-kcm.8.xml:155 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 +#: sssd-kcm.8.xml:164 msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<replaceable>PROXY_COMMAND</replaceable> が指定されていると、ソケットを開く代" -"わりにホストへの接続を作成するために使用されます。" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of the IPA provider for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " +#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page." msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対する IPA プロバイダーの設定を説" +"明しています。詳細な構文の参考資料は <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルペー" +"ジの <quote>ファイル形式</quote> を参照してください。" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 +#: sssd-kcm.8.xml:183 msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> は <citerefentry><refentrytitle>ssh</refentrytitle> " -"<manvolnum>1</manvolnum></citerefentry> 設定に対して以下のディレクティブを使" -"用することにより、ホストキー認証に <command>sss_ssh_knownhostsproxy</" -"command> を使用するために設定できます: <placeholder type=\"programlisting\" " -"id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -"ホストに接続するためにポート <replaceable>PORT</replaceable> を使用します。初" -"期値ではポート 22 が使用されます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -"SSSD ドメイン <replaceable>DOMAIN</replaceable> においてホスト公開鍵を検索し" -"ます。" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 -msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "min_id,max_id (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "min_id,max_id (整数)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 +msgid "" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "初期値: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_page_size (整数)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 +msgid "" +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "初期値: 6" + #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#: sssd-kcm.8.xml:247 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#: sssd-systemtap.5.xml:32 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"Another reason is to provide efficient caching of local users and groups." +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 #, no-wrap msgid "" -"[domain/files]\n" -"id_provider = files\n" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"passwd: sss files\n" -"group: sss files\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 -msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 -msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 -msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 -msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#: sssd-systemtap.5.xml:412 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" -msgstr "" +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (文字列)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" +"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> 向けの LDAP ドメインの設定を説明して" +"います。詳細な構文については <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの " +"<quote>ファイル形式</quote> セクションを参照してください。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 -msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "LDAP にあるユーザーエントリーのオブジェクトクラスです。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "初期値: posixAccount" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 -msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "ユーザーのログイン名に対応する LDAP の属性です。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "ユーザーの ID に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "初期値: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "ユーザーのプライマリーグループ ID に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "初期値: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "ユーザーの gecos 項目に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "初期値: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "ユーザーのホームディレクトリーの名前を含む LDAP の属性です。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "ユーザーの初期シェルのパスを含む LDAP の属性です。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "初期値: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"LDAP ユーザーオブジェクトの objectSID を含む LDAP 属性です。これは通常 " +"ActiveDirectory サーバーに対してのみ必要です。" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." -msgstr "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "親オブジェクトの最終変更のタイムスタンプを含む LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "初期値: modifyTimestamp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(最終パスワード変更日)に対応する LDAP 属性の名前を" +"含みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "初期値: shadowLastChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(最小パスワード期限)に対応する LDAP 属性の名前を含" +"みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "初期値: shadowMin" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(最大パスワード期限)に対応する LDAP 属性の名前を含" +"みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "初期値: shadowMax" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(パスワード警告期間)に対応する LDAP 属性の名前を含" +"みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "初期値: shadowWarning" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(パスワード無効期間)に対応する LDAP 属性の名前を含" +"みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "初期値: shadowInactive" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(アカウント失効日)に対応する LDAP 属性の名前を含み" +"ます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "初期値: shadowExpire" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 -msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" +"ldap_pwd_policy=mit_kerberos を使用しているとき、このパラメーターは Kerberos " +"の最終パスワード変更日時を保存する LDAP 属性の名前を含みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "初期値: krbLastPwdChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" +"ldap_pwd_policy=mit_kerberos を使用しているとき、このパラメーターは現在のパス" +"ワード失効日時を保存する LDAP 属性の名前を含みます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "初期値: krbPasswordExpiration" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" +"ldap_account_expire_policy=ad を使用するとき、このパラメーターはアカウントの" +"失効日時を保存する LDAP 属性の名前を含みます。" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "初期値: accountExpires" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (文字列)" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" +"ldap_account_expire_policy=ad を使用するとき、このパラメーターはユーザーアカ" +"ウントの制御ビット項目を保存する LDAP 属性の名前を含みます。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "初期値: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" +"ldap_account_expire_policy=rhds または同等のものを使用するとき、このパラメー" +"ターがアクセスが許可されるかされないかを決定します。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" +msgstr "初期値: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" +"ldap_account_expire_policy=nds を使用するとき、アクセスが許可されるかされない" +"かをこの属性が決定します。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "初期値: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" +"ldap_account_expire_policy=nds を使用しているとき、この属性はデータアクセスが" +"いつまで許可されるのかを決定します。" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" +"ldap_account_expire_policy=nds を使用しているとき、この属性はアクセスが許可さ" +"れるときの一週間の日の時間を決定します。" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "初期値: loginAllowedTimeMap" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "ユーザーの Kerberos User Principal Name (UPN) を含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "初期値: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (文字列)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "ユーザーの SSH 公開鍵を含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "ユーザーの完全名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "ユーザーのグループメンバーを一覧にする LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "初期値: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" +"もし access_provider=ldap かつ ldap_access_order=authorized_service ならば、" +"SSSD はアクセス権限を決定するために、ユーザーの LDAP エントリーにある " +"authorizedService 属性を使用します。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" +"明示的な拒否 (!svc) が始めに解決されます。次に SSSD は明示的な許可 (svc) を検" +"索します。最後にすべて許可 (*) を検索します。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "初期値: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" +"access_provider=ldap かつ ldap_access_order=host ならば、 SSSD はアクセス権限" +"を決めるために、ユーザーの LDAP エントリーにあるホスト属性の存在を使用しま" +"す。" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" +"明示的な拒否 (!host) がまず解決されます。次に SSSD が明示的な許可 (host) を検" +"索します。最後にすべて許可 (*) が検索されます。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "初期値: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "LDAP にあるグループエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "初期値: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "グループ名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "グループの ID に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "グループのメンバーの名前を含む LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "初期値: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"LDAP グループオブジェクトの objectSID を含む LDAP 属性です。これは通常 " +"ActiveDirectory サーバーに対してのみ必要です。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 #, fuzzy -#| msgid "" -#| "This manual page describes the configuration of the IPA provider for " -#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " -#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " -#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> manual page." +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> に対する IPA プロバイダーの設定を説" -"明しています。詳細な構文の参考資料は <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルペー" -"ジの <quote>ファイル形式</quote> を参照してください。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (整数)" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id,max_id (整数)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" +"IPA プロバイダーにおいては ipa_netgroup_object_class が代わりに使用されます。" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "初期値: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "初期値: nisNetgroup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (整数)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 -msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "ネットワークグループ名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "IPA プロバイダーにおいては ipa_netgroup_name が代わりに使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (文字列)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "初期値: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "ネットワークグループのメンバーの名前を含む LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" +"IPA プロバイダーにおいては ipa_netgroup_member が代わりに使用されます。" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "初期値: memberNisNetgroup" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (文字列)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" +"ネットワークグループの三つ組(ホスト、ユーザー、ドメイン)を含む LDAP 属性で" +"す。" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "このオプションは IPA プロバイダーにおいて利用可能ではありません。" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "初期値: nisNetgroupTriple" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (文字列)" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "初期値: ipService" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap -msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap -msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "サービスセクション" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." +msgstr "LDAP にあるサービスエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "サービス属性の名前とそのエイリアスを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "このサービスにより管理されるポートを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "初期値: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "このサービスにより認識されるプロトコルを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "初期値: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "LDAP にある sudo ルールエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "初期値: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "sudo ルール名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "コマンド名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "初期値: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" +"ホスト名(またはホスト IP アドレス、ホスト IP ネットワーク、ホストネットワー" +"クグループ)に対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "初期値: sudoHost" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" +"ユーザー名(または UID、グループ名、ユーザーのネットワークグループ)に対応す" +"る LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "初期値: sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "sudo オプションに対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "初期値: sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " -msgstr "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "コマンドを実行するユーザー名に対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "初期値: sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" +"コマンドを実行するグループ名またはグループの GID に対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "初期値: sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" -msgstr "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "sudo ルールが有効になる開始日時に対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "初期値: sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" +"sudo ルールが有効ではなくなった後に、期限切れとなる日時に対応する LDAP 属性で" +"す。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "初期値: sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "ルールの並び替えインデックスに対応する LDAP 属性です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "初期値: sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "AUTOFS オプション" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." +msgstr "LDAP にある automount マップエントリーのオブジェクトクラスです。" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." +msgstr "LDAP における automount のマップエントリーの名前です。" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (文字列)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" +"LDAP にある automount エントリーのキーです。エントリーは一般的にマウントポイ" +"ントと対応します。" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (文字列)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/lv.po b/src/man/po/lv.po index 24ccfefe07d..bd30342f91a 100644 --- a/src/man/po/lv.po +++ b/src/man/po/lv.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-15 12:00+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/" @@ -33,7 +33,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "" @@ -76,7 +76,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "APRAKSTS" @@ -135,7 +135,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -144,7 +144,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -295,12 +295,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -317,19 +317,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -352,8 +356,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Noklusējuma: 10" @@ -368,7 +372,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -416,19 +420,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "" @@ -448,7 +452,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -468,12 +472,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -481,39 +485,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -528,20 +532,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -549,52 +564,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -607,17 +622,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -627,7 +642,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -640,23 +655,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -666,7 +681,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -675,22 +690,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -698,69 +713,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 6" msgid "Default: sha256" msgstr "Noklusējuma: 6" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -768,19 +802,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -788,24 +822,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -814,7 +848,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -822,8 +856,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -831,68 +879,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -903,7 +951,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -920,7 +968,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -937,12 +985,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -951,22 +999,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -976,17 +1024,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -996,18 +1044,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Noklusējuma: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1015,24 +1063,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1040,12 +1088,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1057,58 +1105,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Noklusējuma: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1116,7 +1164,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1126,7 +1174,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1135,17 +1183,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1153,17 +1201,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Noklusējuma: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1171,17 +1219,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1190,7 +1238,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1199,41 +1247,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1241,23 +1289,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1265,47 +1313,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1313,112 +1361,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1429,96 +1477,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Noklusējuma: 0 (bez ierobežojuma)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1526,59 +1574,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Noklusējuma: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1587,61 +1635,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1649,7 +1697,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1658,17 +1706,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1676,31 +1724,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1710,75 +1758,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1786,19 +1834,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1806,12 +1854,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1819,77 +1867,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1897,7 +1945,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1909,63 +1957,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1973,12 +2021,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1989,7 +2037,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1997,7 +2045,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2005,7 +2053,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2014,12 +2062,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2030,24 +2078,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2057,22 +2105,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2080,51 +2128,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2133,24 +2181,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2161,7 +2236,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2172,24 +2247,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2197,12 +2272,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2211,24 +2286,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2238,66 +2313,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2305,17 +2380,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2323,7 +2398,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2331,22 +2406,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2355,14 +2430,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2371,38 +2446,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2411,24 +2486,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2437,29 +2512,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2473,14 +2548,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2489,39 +2564,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2530,19 +2605,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2553,115 +2628,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2670,42 +2745,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2713,24 +2788,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2739,17 +2814,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Noklusējuma: 0 (neierobežots)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2758,34 +2833,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2793,7 +2868,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2801,8 +2876,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2811,8 +2886,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2820,19 +2895,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2841,7 +2916,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2849,22 +2924,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2876,7 +2951,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2884,19 +2959,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2904,7 +2979,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2912,35 +2987,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2948,19 +3023,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2969,7 +3044,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2977,29 +3052,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Noklusējuma: <quote>atļaut</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3007,7 +3082,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3015,35 +3090,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3051,32 +3126,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3087,7 +3162,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3096,12 +3171,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3109,7 +3184,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3117,31 +3192,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3149,7 +3224,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3158,17 +3233,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3176,43 +3251,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3220,7 +3295,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3228,7 +3303,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3236,24 +3311,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3261,12 +3336,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3276,7 +3351,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3285,29 +3360,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3315,7 +3390,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3325,59 +3400,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Noklusējuma: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Atbalstītās vērtības:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3386,77 +3461,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Noklusējuma: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3464,7 +3539,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3473,17 +3548,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3491,34 +3566,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3526,32 +3601,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3561,34 +3636,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3597,19 +3672,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3617,24 +3692,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3643,24 +3718,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3670,14 +3745,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3685,21 +3760,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3707,7 +3782,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3716,7 +3791,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3725,7 +3800,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3733,29 +3808,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3763,12 +3838,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3777,12 +3852,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3790,19 +3865,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3819,7 +3894,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3827,17 +3902,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3846,7 +3921,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3856,7 +3931,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3876,12 +3951,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3889,73 +3964,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Noklusējuma: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3963,17 +4038,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Noklusējuma: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3982,17 +4057,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Noklusējuma: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4000,17 +4075,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Noklusējuma: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4018,17 +4093,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4039,69 +4114,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4114,7 +4189,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4122,7 +4197,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4131,55 +4206,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4188,17 +4263,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4206,26 +4281,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4234,17 +4309,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4254,7 +4329,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4263,59 +4338,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4323,14 +4398,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4338,7 +4413,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4346,12 +4421,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4381,7 +4456,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4390,7 +4465,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4398,7 +4473,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4409,7 +4484,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4423,7 +4498,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4479,12 +4554,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "KONFIGURĒŠANAS IESPĒJAS" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4494,33 +4569,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4529,71 +4604,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4602,7 +4677,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4613,12 +4688,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4626,32 +4701,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4662,37 +4737,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Noklusējuma: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4701,10731 +4776,10973 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "Divi pašlaik atbalstītie mehānismi ir:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "parole" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Noklusējuma: posixAccount" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" +#: sssd-ldap.5.xml:359 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:386 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#: sssd-ldap.5.xml:430 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:445 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +#: sssd-ldap.5.xml:487 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:505 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Noklusējuma: shadowMin" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:542 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:548 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Noklusējuma: shadowMax" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 -msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:698 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:741 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:757 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:770 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 +#: sssd-ldap.5.xml:789 msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:810 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#: sssd-ldap.5.xml:814 +msgid "" +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:877 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 -msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#: sssd-ldap.5.xml:904 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:919 +msgid "" +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Noklusējuma: 86400 (24 stundas)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:974 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:1017 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:1022 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:1027 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1057 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Noklusējuma: posixGroup" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Noklusējuma: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Piemērs:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1148 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1153 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1174 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "Atļautas šādas vērtības:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1184 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1196 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1202 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1211 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 -msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1308 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "" +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Noklusējuma: filtrēt" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1350 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1389 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#: sssd-ldap.5.xml:1449 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1454 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1468 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1474 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1478 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1536 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1559 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." -msgstr "" - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1577 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "PAPLAŠINĀTĀS IESPĒJAS" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "PIEMĒRS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "PIEZĪMES" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 -msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 +msgid "" +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 +msgid "" +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Noklusējuma: 86400 (24 stundas)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 -msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Noklusējuma: ldap" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 -msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#: sssd-simple.5.xml:100 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#: sssd-simple.5.xml:111 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Piemērs:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "Atļautas šādas vērtības:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 -msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 -msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 -msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 -msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 -msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Noklusējuma: filtrēt" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 -msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 -msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 -msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 -msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 -msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 -msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 -msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "PAPLAŠINĀTĀS IESPĒJAS" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "PIEMĒRS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "PIEZĪMES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 -msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 -msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 -msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 -msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 -msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 -msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 -msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#: sssd-ipa.5.xml:446 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 -msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 -msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 -msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#: sssd-ipa.5.xml:643 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#: sssd-ipa.5.xml:656 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 -msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:696 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 -msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 +msgid "" +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 -msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:495 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:515 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:531 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:549 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:554 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 -msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:638 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:657 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:663 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:697 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:715 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:755 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:773 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:790 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#: sssd-ad.5.xml:808 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:826 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:852 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:857 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 -msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:901 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:927 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 -msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:989 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:1004 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:1022 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:1068 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:1081 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 -msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 -msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 -msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 -msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap -msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 -msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 -msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sss_obfuscate.8.xml:32 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#: sss_obfuscate.8.xml:37 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sss_obfuscate.8.xml:49 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"The SSSD domain to use the password in. The default name is <quote>default</" "quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"ldap_id_mapping = False\n" -" " +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 -msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 -msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 -msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 -msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 -msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "create a new user" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#: sssd-krb5.5.xml:77 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#: sssd-krb5.5.xml:106 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:116 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:122 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:138 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." -msgstr "" +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Noklusējuma: / tmp" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 -msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:243 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:257 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:275 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Noklusējuma: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#: sssd-krb5.5.xml:288 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:293 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 -msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 -msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." -msgstr "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 -msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 -msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +msgid "" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "izveidot jaunu grupu" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#: sss_groupadd.8.xml:48 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "dzēst lietotāja kontu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#: sss_userdel.8.xml:72 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "dzēst grupu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#: sss_groupshow.8.xml:47 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#: sss_usermod.8.xml:32 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#: sss_cache.8.xml:31 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:53 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:68 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:75 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:112 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:134 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:141 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_cache.8.xml:156 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_cache.8.xml:163 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_cache.8.xml:201 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "create a new user" +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_seed.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_seed.8.xml:33 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +#: sss_seed.8.xml:46 msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sss_seed.8.xml:51 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#: sss_seed.8.xml:63 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sss_seed.8.xml:68 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#: sss_seed.8.xml:148 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:53 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#: sssd-ifp.5.xml:63 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 -msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 -msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Noklusējuma: / tmp" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "SKATĪT ARĪ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 -msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 -msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Noklusējuma: /etc/krb5.keytab" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 -msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#: sssd-files.5.xml:99 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#: sssd-files.5.xml:114 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 -msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 +msgid "" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#: sssd-secrets.5.xml:75 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:122 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:132 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap -msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "izveidot jaunu grupu" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#: sssd-secrets.5.xml:144 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "dzēst lietotāja kontu" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 -msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 -msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:207 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:219 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "dzēst grupu" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:278 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:323 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:385 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:424 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "noildze (vesels skaitlis)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Noklusējuma: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" -msgstr "" +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Noklusējuma: 6" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "SKATĪT ARĪ" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 -msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-systemtap.5.xml:412 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-ldap-attributes.5.xml:23 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" -msgstr "" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Noklusējuma: posixAccount" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Noklusējuma: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Noklusējuma: shadowMax" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 -msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Noklusējuma: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 -msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 -msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "noildze (vesels skaitlis)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Noklusējuma: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Noklusējuma: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/nl.po b/src/man/po/nl.po index 2201a3db757..e05315677be 100644 --- a/src/man/po/nl.po +++ b/src/man/po/nl.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-15 12:02+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/" @@ -31,7 +31,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "SSSD handleiding" @@ -77,7 +77,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "OMSCHRIJVING" @@ -147,7 +147,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -156,7 +156,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Bestandsformaten en conventies" @@ -318,12 +318,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Standaard: true" @@ -340,19 +340,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -375,8 +379,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -391,7 +395,7 @@ msgid "The [sssd] section" msgstr "De [sssd] sectie" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Sectie parameters" @@ -441,12 +445,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (numeriek)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -455,7 +459,7 @@ msgstr "" "Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Standaard: 3" @@ -475,7 +479,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (tekst)" @@ -495,12 +499,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (tekst)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -508,39 +512,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -555,16 +559,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +#, fuzzy +#| msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "try_inotify (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "try_inotify (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD houdt de stat van resolv.conf in de gaten om te zien wanneer de interne " "DNS-resolver bijgewerkt moet worden. Standaard wordt er geprobeerd om " @@ -572,7 +595,7 @@ msgstr "" "kijken of resolv.conf gewijzigd is als er geen inotify beschikbaar is." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -583,7 +606,7 @@ msgstr "" "gezet worden" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -592,7 +615,7 @@ msgstr "" "systemen." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -602,12 +625,12 @@ msgstr "" "conf." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -616,26 +639,26 @@ msgstr "" "opslaan." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -648,17 +671,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -668,7 +691,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -681,23 +704,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -707,7 +730,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -716,22 +739,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -739,69 +762,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 120" msgid "Default: sha256" msgstr "Standaard: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -809,19 +851,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -829,24 +871,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -855,7 +897,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -863,8 +905,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -872,68 +928,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -944,7 +1000,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -961,7 +1017,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -978,12 +1034,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "SERVICES SECTIE" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -992,22 +1048,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Algemene service configuratie-opties" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Deze opties kunnen gebruikt worden om services te configureren." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1017,17 +1073,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1037,18 +1093,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1056,24 +1112,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1081,12 +1137,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1098,30 +1154,30 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "NSS configuratie-opties" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1129,12 +1185,12 @@ msgstr "" "configurere." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (numeriek)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1143,17 +1199,17 @@ msgstr "" "over alle gebruikers)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Standaard: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (numeriek)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1161,7 +1217,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1171,7 +1227,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1180,17 +1236,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (numeriek)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1198,17 +1254,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1216,17 +1272,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1235,7 +1291,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1244,41 +1300,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1286,23 +1342,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1310,47 +1366,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1358,112 +1414,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1474,96 +1530,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1571,59 +1627,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1632,61 +1688,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1694,7 +1750,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1703,17 +1759,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1721,31 +1777,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Standaard: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1755,75 +1811,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1831,19 +1887,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1851,12 +1907,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1864,77 +1920,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1942,7 +1998,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1954,63 +2010,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2018,12 +2074,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2034,7 +2090,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2042,7 +2098,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2050,7 +2106,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2059,12 +2115,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2075,24 +2131,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2102,22 +2158,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2125,51 +2181,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2178,24 +2234,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2206,7 +2289,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2217,24 +2300,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2242,12 +2325,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2256,24 +2339,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2283,66 +2366,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2350,17 +2433,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2368,7 +2451,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2376,22 +2459,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2400,14 +2483,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2416,38 +2499,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2456,24 +2539,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2482,29 +2565,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2518,14 +2601,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2534,39 +2617,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2575,19 +2658,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2598,115 +2681,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2715,42 +2798,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2758,24 +2841,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2784,17 +2867,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2803,34 +2886,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2838,7 +2921,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2846,8 +2929,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2856,8 +2939,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2865,19 +2948,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2886,7 +2969,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2894,22 +2977,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2921,7 +3004,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2929,19 +3012,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2949,7 +3032,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2957,35 +3040,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2993,19 +3076,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3014,7 +3097,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3022,29 +3105,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3052,7 +3135,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3060,35 +3143,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3096,32 +3179,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3132,7 +3215,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3141,12 +3224,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3154,7 +3237,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3162,31 +3245,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3194,7 +3277,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3203,17 +3286,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3221,43 +3304,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3265,7 +3348,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3273,7 +3356,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3281,24 +3364,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3306,12 +3389,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3321,7 +3404,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3330,29 +3413,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3363,7 +3446,7 @@ msgstr "" "het domein alles daarna\"" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3373,59 +3456,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Standaard: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3434,77 +3517,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3512,7 +3595,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3521,17 +3604,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3539,34 +3622,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3574,32 +3657,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3609,34 +3692,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3645,19 +3728,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3665,24 +3748,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3691,24 +3774,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3718,14 +3801,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3733,21 +3816,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3755,7 +3838,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3764,7 +3847,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3773,7 +3856,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3781,29 +3864,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3811,12 +3894,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3825,12 +3908,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3838,19 +3921,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3867,7 +3950,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3875,17 +3958,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3894,7 +3977,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3904,7 +3987,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3924,12 +4007,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3937,73 +4020,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4011,17 +4094,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4030,17 +4113,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4048,17 +4131,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4066,17 +4149,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4087,69 +4170,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4162,7 +4245,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4170,7 +4253,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4179,55 +4262,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4236,17 +4319,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4254,26 +4337,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4282,17 +4365,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4302,7 +4385,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4311,59 +4394,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4371,14 +4454,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4386,7 +4469,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4394,12 +4477,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4429,7 +4512,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4438,7 +4521,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4446,7 +4529,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4457,7 +4540,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4471,7 +4554,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4527,12 +4610,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4542,33 +4625,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4577,71 +4660,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4650,7 +4733,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4661,12 +4744,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4674,32 +4757,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4710,37 +4793,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4749,10735 +4832,10977 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1350 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1359 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1415 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1449 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1474 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1536 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1559 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 -msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1577 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 +msgid "" +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 -msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 +msgid "" +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 -msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 -msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 -msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 -msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 -msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 -msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 -msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 -msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 -msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 -msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 +msgid "" +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 -msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +#: sssd-ad.5.xml:463 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:475 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:495 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:515 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:531 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:549 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 -msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 -msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:638 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#: sssd-ad.5.xml:663 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:697 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:721 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:778 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:790 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:808 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 -msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 -msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 -msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 -msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sssd.8.xml:259 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sss_override.8.xml:32 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#: sss_override.8.xml:37 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sss_override.8.xml:52 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"ldap_id_mapping = False\n" -" " +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 -msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 -msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 -msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 -msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#: sssd-krb5.5.xml:77 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#: sssd-krb5.5.xml:138 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 -msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:208 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#: sssd-krb5.5.xml:216 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#: sssd-krb5.5.xml:243 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:257 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:275 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:288 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:344 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:364 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:379 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +msgid "" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 -msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#: sssd-krb5.5.xml:65 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sssd-krb5.5.xml:606 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_userdel.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_userdel.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#: sss_userdel.8.xml:72 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_usermod.8.xml:96 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_usermod.8.xml:152 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_cache.8.xml:31 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_cache.8.xml:68 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#: sss_cache.8.xml:75 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:141 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:156 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:163 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_seed.8.xml:46 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#: sss_seed.8.xml:51 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_seed.8.xml:117 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_seed.8.xml:153 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sssd-ifp.5.xml:36 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:53 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sssd-ifp.5.xml:63 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sssd-ifp.5.xml:81 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sssd-ifp.5.xml:117 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:139 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:39 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "ZIE OOK" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 -msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 -msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 -msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 -msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#: sssd-secrets.5.xml:75 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:61 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:91 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 -msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:207 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:219 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:278 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:323 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:385 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:424 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccaches (integer)" +msgstr "enum_cache_timeout (numeriek)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "enum_cache_timeout (numeriek)" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." -msgstr "" +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 64" +msgstr "Standaard: 3" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "enum_cache_timeout (integer)" +msgid "max_ccache_size (integer)" +msgstr "enum_cache_timeout (numeriek)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" -msgstr "" +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 65536" +msgstr "Standaard: 3" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "ZIE OOK" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 -msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 -msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 -msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-systemtap.5.xml:412 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-ldap-attributes.5.xml:23 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 -msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap -msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 -msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 -msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 -msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (numeriek)" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "enum_cache_timeout (numeriek)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 64" -msgstr "Standaard: 3" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccache_size (integer)" -msgstr "enum_cache_timeout (numeriek)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 65536" -msgstr "Standaard: 3" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "SERVICES SECTIE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/pt.po b/src/man/po/pt.po index 5007b7ebb1d..a7796f3b915 100644 --- a/src/man/po/pt.po +++ b/src/man/po/pt.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-15 12:05+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/" @@ -31,7 +31,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Páginas de Manual de SSSD" @@ -77,7 +77,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "DESCRIÇÃO" @@ -147,7 +147,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -156,7 +156,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Formatos de ficheiros e convenções" @@ -313,12 +313,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -335,19 +335,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Padrão: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -370,8 +374,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Padrão: 10" @@ -386,7 +390,7 @@ msgid "The [sssd] section" msgstr "A seção [SSSD]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Parâmetros de secção" @@ -436,12 +440,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -450,7 +454,7 @@ msgstr "" "falha do provedor de dados ou reiniciar antes de eles desistirem" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Padrão: 3" @@ -470,7 +474,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (string)" @@ -490,12 +494,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -503,39 +507,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -550,20 +554,33 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +#, fuzzy +#| msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "try_inotify (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "try_inotify (boolean)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -571,52 +588,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -629,17 +646,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -649,7 +666,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -662,23 +679,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -688,7 +705,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -697,22 +714,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -720,69 +737,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 6" msgid "Default: sha256" msgstr "Padrão: 6" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -790,19 +826,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -810,24 +846,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -836,7 +872,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -844,8 +880,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -853,68 +903,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -925,7 +975,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -942,7 +992,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -959,12 +1009,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -973,22 +1023,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -998,17 +1048,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1018,18 +1068,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Padrão: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1037,24 +1087,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1062,12 +1112,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1079,58 +1129,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Padrão: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1138,7 +1188,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1148,7 +1198,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1157,17 +1207,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Padrão: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1175,17 +1225,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1193,17 +1243,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1212,7 +1262,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1221,41 +1271,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1263,23 +1313,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1287,47 +1337,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1335,112 +1385,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Padrão: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1451,96 +1501,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1548,59 +1598,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Padrão: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1609,61 +1659,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1671,7 +1721,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1680,17 +1730,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1698,31 +1748,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1732,75 +1782,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Padrão: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1808,19 +1858,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1828,12 +1878,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1841,77 +1891,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1919,7 +1969,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1931,63 +1981,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1995,12 +2045,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2011,7 +2061,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2019,7 +2069,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2027,7 +2077,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2036,12 +2086,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2052,24 +2102,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2079,22 +2129,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2102,51 +2152,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2155,24 +2205,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2183,7 +2260,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2194,24 +2271,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2219,12 +2296,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2233,24 +2310,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2260,66 +2337,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2327,17 +2404,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2345,7 +2422,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2353,22 +2430,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "SECÇÕES DE DOMÍNIO" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2377,14 +2454,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2393,38 +2470,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id,max_id (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2433,24 +2510,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Padrão: 1 para min_id, 0 (sem limite) para max_id" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2459,29 +2536,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Padrão: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2495,14 +2572,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2511,39 +2588,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2552,19 +2629,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2575,115 +2652,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Padrão: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2692,42 +2769,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2735,24 +2812,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2761,17 +2838,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Padrão: 0 (ilimitado)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2780,34 +2857,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2815,7 +2892,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2823,8 +2900,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2833,8 +2910,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2842,19 +2919,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2863,7 +2940,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2871,22 +2948,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2898,7 +2975,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2906,19 +2983,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2926,7 +3003,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2934,35 +3011,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2970,19 +3047,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2991,7 +3068,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2999,29 +3076,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3029,7 +3106,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3037,35 +3114,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3073,32 +3150,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3109,7 +3186,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3118,12 +3195,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3131,7 +3208,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3139,31 +3216,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3171,7 +3248,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3180,17 +3257,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3198,43 +3275,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3242,7 +3319,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3250,7 +3327,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3258,24 +3335,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3283,12 +3360,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3298,7 +3375,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3307,29 +3384,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3337,7 +3414,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3347,59 +3424,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Default: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Default: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3408,77 +3485,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Padrão: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3486,7 +3563,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3495,17 +3572,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3513,34 +3590,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3548,32 +3625,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3583,34 +3660,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3619,19 +3696,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3639,24 +3716,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3665,24 +3742,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3692,14 +3769,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3707,21 +3784,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3729,7 +3806,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3738,7 +3815,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3747,7 +3824,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3755,29 +3832,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3785,12 +3862,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3799,12 +3876,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3812,19 +3889,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3841,7 +3918,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3849,17 +3926,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3868,7 +3945,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3878,7 +3955,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3898,12 +3975,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "A secção de domínio local" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3911,73 +3988,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Padrão: <filename>bash/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Padrão: <filename>/ home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Padrão: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (integer)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3985,17 +4062,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Padrão: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4004,17 +4081,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Padrão: <filename>skel/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4022,17 +4099,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Padrão: <filename>mail/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (string)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4040,17 +4117,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Padrão: None, nenhum comando é executado" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4061,69 +4138,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4136,7 +4213,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4144,7 +4221,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4153,55 +4230,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4210,17 +4287,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4228,26 +4305,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4256,17 +4333,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4276,7 +4353,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4285,59 +4362,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4345,14 +4422,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4360,7 +4437,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4368,12 +4445,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4427,7 +4504,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4436,7 +4513,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4444,7 +4521,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4455,7 +4532,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4469,7 +4546,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4525,12 +4602,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "OPÇÕES DE CONFIGURAÇÃO" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4540,33 +4617,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<host>[:port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4575,57 +4652,57 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Padrão: empty, ou seja, ldap_uri é usado." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Exemplos:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -4634,7 +4711,7 @@ msgstr "" "ldap_search_base = dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -4643,7 +4720,7 @@ msgstr "" "(host=thishost)?dc=example.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4652,7 +4729,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4663,12 +4740,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4676,32 +4753,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4712,37 +4789,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4751,10758 +4828,11004 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "" +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" +#: sssd-ldap.5.xml:359 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:386 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (integer)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:430 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Padrão: diret" +#: sssd-ldap.5.xml:445 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:461 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (integer)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:487 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:505 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:522 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Padrão: modifyTimestamp" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Padrão: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Padrão: shadowLastChange" +#: sssd-ldap.5.xml:542 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 -msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Padrão: shadowMin" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Padrão: shadowMax" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Padrão: shadowWarning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Padrão: shadowInactive" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Padrão: shadowExpire" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = O cliente não irá solicitar ou verificar " +"qualquer certificado de servidor." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Padrão: krbLastPwdChange" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Padrão: krbPasswordExpiration" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Padrão: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:698 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 -msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:741 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (boolean)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" +#: sssd-ldap.5.xml:757 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:770 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:789 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (string)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:810 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Padrão: krbPrincipalName" +#: sssd-ldap.5.xml:814 +msgid "" +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (string)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 +#: sssd-ldap.5.xml:833 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:862 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (boolean)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:877 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Padrão: false;" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" +"Padrão: Sistema keytab, normalmente <filename>/etc/krb5.keytab</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:904 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (integer)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (integer)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:919 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Padrão: 86400 (24 horas)" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:932 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (string)" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Padrão: NC" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:974 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:1017 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 +#: sssd-ldap.5.xml:1022 msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:1027 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "Padrão: host" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:1042 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 -msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:1057 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1092 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1148 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1153 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1170 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1196 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1202 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 -msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1234 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1244 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1251 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1272 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Padrão: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1350 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Padrão: nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1385 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1449 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1468 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1478 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1498 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1512 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (integer)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 -msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1536 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (integer)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1541 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1559 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1577 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (integer)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." -msgstr "" - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Padrão: 1000" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 -msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 -msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "OPÇÕES AVANÇADAS" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPLO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -"<emphasis>never</emphasis> = O cliente não irá solicitar ou verificar " -"qualquer certificado de servidor." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTAS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Padrão: hard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Módulo PAM para SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 -msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (boolean)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Padrão: false;" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -"Padrão: Sistema keytab, normalmente <filename>/etc/krb5.keytab</filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (boolean)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (integer)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Padrão: 86400 (24 horas)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "MÓDULOS TIPO FORNECIDOS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "FICHEIROS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (boolean)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 -msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 -msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 -msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#: sssd-simple.5.xml:100 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 -msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 -msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Padrão: filter" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "OPÇÕES AVANÇADAS" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "EXEMPLO" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 -msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "NOTAS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 -msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "Módulo PAM para SSSD" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 -msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 -msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 -msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "MÓDULOS TIPO FORNECIDOS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "FICHEIROS" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 +msgid "" +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Default: Use base DN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Padrão: NC" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 -msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:643 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#: sssd-ipa.5.xml:656 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 -msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#: sssd-ipa.5.xml:696 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#: sssd-ipa.5.xml:805 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#: sssd-ipa.5.xml:817 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#: sssd-ipa.5.xml:821 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 -msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 -msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (string)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:410 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:417 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (string)" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:475 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#: sssd-ad.5.xml:495 +msgid "" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:515 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:531 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:549 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:554 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:638 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:657 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:663 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 -msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:697 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:715 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:721 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Default: Use base DN" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:755 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:790 +msgid "" +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:808 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:852 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#: sssd-ad.5.xml:857 msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:901 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:927 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 -msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 -msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 -msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 -msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 -msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +#: sssd-ad.5.xml:974 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#: sssd-ad.5.xml:989 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1004 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Padrão: TRUE" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#: sssd-sudo.5.xml:98 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd-sudo.5.xml:118 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sssd-sudo.5.xml:138 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sssd-sudo.5.xml:144 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sssd-sudo.5.xml:152 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 -msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 -msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#: sssd-sudo.5.xml:199 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "" +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "" +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "Daemon de serviços de segurança do sistema" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sssd.8.xml:31 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 -msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap -msgid "" -"ldap_id_mapping = False\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap -msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Tornar-se um daemon após a instalação." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Executar em primeiro plano, não se torne um daemon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "Imprimir o número da versão e sair." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Sinais" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "ofuscar uma senha de texto não criptografado" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 -msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 -msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 -msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" -msgstr "" +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Padrão: Usar o KDC" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" -msgstr "" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (string)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:138 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" -msgstr "" +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Padrão: /tmp." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" -msgstr "" +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (string)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 -msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "nome de login" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 -msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "nome principal" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Padrão: TRUE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nome de território" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "um literal '%'" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (boolean)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Padrão: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (string)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap -msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 -msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Padrão: não definido, ou seja, o TGT não é renovável" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "Daemon de serviços de segurança do sistema" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 -msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (string)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "Tornar-se um daemon após a instalação." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "Executar em primeiro plano, não se torne um daemon." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 -msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_groupadd.8.xml:48 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "Imprimir o número da versão e sair." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Sinais" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#: sss_userdel.8.xml:48 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_userdel.8.xml:60 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#: sss_userdel.8.xml:72 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "ofuscar uma senha de texto não criptografado" +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "excluir um grupo" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_groupdel.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 -msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#: sss_groupdel.8.xml:32 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." -msgstr "" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "" +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "modificar uma conta de utilizador" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" "arg>" msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 -msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#: sss_usermod.8.xml:32 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#: sss_usermod.8.xml:96 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" -msgstr "" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" +"Bloquear a conta do utilizador. O utilizador não será capaz de efetuar login." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 -msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" -msgstr "" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Desbloquear a conta de utilizador." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#: sss_usermod.8.xml:152 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 -msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 -msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 -msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#: sss_cache.8.xml:53 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sss_cache.8.xml:68 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_cache.8.xml:90 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_cache.8.xml:97 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 -msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sss_cache.8.xml:112 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#: sss_cache.8.xml:119 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"<option>-s</option>,<option>--service</option> <replaceable>service</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 -msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_cache.8.xml:134 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +#: sss_cache.8.xml:141 msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sss_cache.8.xml:178 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#: sss_cache.8.xml:186 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sss_cache.8.xml:201 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +#: sss_cache.8.xml:209 msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 -msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_debuglevel.8.xml:32 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Padrão: Usar o KDC" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Padrão: /tmp." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (string)" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "nome de login" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "nome principal" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "nome de território" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "um literal '%'" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VER TAMBÉM" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 +msgid "" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Padrão: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 -msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (string)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 +msgid "" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 +msgid "" +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#: sssd-files.5.xml:99 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" -msgstr "Padrão: não definido, ou seja, o TGT não é renovável" +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#: sssd-files.5.xml:114 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap +msgid "" +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 -msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (string)" +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 -msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 -msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:186 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 -msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap -msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#: sssd-secrets.5.xml:231 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:260 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 -msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "excluir um grupo" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#: sssd-secrets.5.xml:278 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 -msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:310 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "modificar uma conta de utilizador" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 -msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 -msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#: sssd-secrets.5.xml:335 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" -"Bloquear a conta do utilizador. O utilizador não será capaz de efetuar login." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "Desbloquear a conta de utilizador." +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:385 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:424 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 -msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccaches (integer)" +msgstr "ldap_page_size (integer)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "min_id,max_id (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "min_id,max_id (integer)" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." -msgstr "" +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Padrão: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "ldap_page_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "ldap_page_size (integer)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" -msgstr "" +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Padrão: 6" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "VER TAMBÉM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"attr:string\n" +"value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 -msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 -msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap +msgid "" +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-systemtap.5.xml:412 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (string)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (string)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Padrão: diret" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (string)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Padrão: modifyTimestamp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (string)" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Padrão: shadowLastChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Padrão: shadowMin" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (string)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Padrão: shadowMax" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (string)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Padrão: shadowWarning" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (string)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Padrão: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Padrão: shadowExpire" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Padrão: krbLastPwdChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Padrão: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Padrão: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 -msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "Padrão: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 -msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 -msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_search_base (string)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 -msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 -msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Padrão: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (string)" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccaches (integer)" -msgstr "ldap_page_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id,max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Padrão: 6" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (integer)" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 -msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Padrão: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po index e4d793040d7..368e3becac2 100644 --- a/src/man/po/pt_BR.po +++ b/src/man/po/pt_BR.po @@ -4,7 +4,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2017-01-29 10:11+0000\n" "Last-Translator: Rodrigo de Araujo Sousa Fonseca " "<rodrigodearaujo@fedoraproject.org>\n" @@ -27,7 +27,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "" @@ -70,7 +70,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "DESCRIÇÃO" @@ -129,7 +129,7 @@ msgstr "ssd.conf " #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -138,7 +138,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -289,12 +289,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -311,19 +311,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -346,8 +350,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -362,7 +366,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -410,19 +414,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "" @@ -442,7 +446,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -462,12 +466,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -475,39 +479,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -522,20 +526,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -543,52 +558,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -601,17 +616,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -621,7 +636,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -634,23 +649,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -660,7 +675,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -669,22 +684,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -692,67 +707,86 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 msgid "Default: sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -760,19 +794,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -780,24 +814,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -806,7 +840,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -814,8 +848,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -823,68 +871,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -895,7 +943,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -912,7 +960,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -929,12 +977,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -943,22 +991,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -968,17 +1016,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -988,18 +1036,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1007,24 +1055,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1032,12 +1080,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1049,58 +1097,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1108,7 +1156,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1118,7 +1166,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1127,17 +1175,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1145,17 +1193,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1163,17 +1211,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1182,7 +1230,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1191,41 +1239,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1233,23 +1281,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1257,47 +1305,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1305,112 +1353,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1421,96 +1469,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1518,59 +1566,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1579,61 +1627,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1641,7 +1689,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1650,17 +1698,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1668,31 +1716,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1702,75 +1750,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1778,19 +1826,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1798,12 +1846,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1811,77 +1859,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1889,7 +1937,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1901,63 +1949,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1965,12 +2013,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1981,7 +2029,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1989,7 +2037,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -1997,7 +2045,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2006,12 +2054,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2022,24 +2070,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2049,22 +2097,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2072,51 +2120,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2125,24 +2173,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2153,7 +2228,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2164,24 +2239,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2189,12 +2264,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2203,24 +2278,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2230,66 +2305,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2297,17 +2372,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2315,7 +2390,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2323,22 +2398,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2347,14 +2422,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2363,38 +2438,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2403,24 +2478,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2429,29 +2504,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2465,14 +2540,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2481,39 +2556,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2522,19 +2597,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2545,115 +2620,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2662,42 +2737,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2705,24 +2780,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2731,17 +2806,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2750,34 +2825,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2785,7 +2860,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2793,8 +2868,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2803,8 +2878,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2812,19 +2887,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2833,7 +2908,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2841,22 +2916,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2868,7 +2943,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2876,19 +2951,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2896,7 +2971,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2904,35 +2979,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2940,19 +3015,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2961,7 +3036,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2969,29 +3044,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -2999,7 +3074,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3007,35 +3082,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3043,32 +3118,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3079,7 +3154,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3088,12 +3163,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3101,7 +3176,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3109,31 +3184,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3141,7 +3216,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3150,17 +3225,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3168,43 +3243,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3212,7 +3287,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3220,7 +3295,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3228,24 +3303,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3253,12 +3328,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3268,7 +3343,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3277,29 +3352,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3307,7 +3382,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3317,59 +3392,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3378,77 +3453,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3456,7 +3531,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3465,17 +3540,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3483,34 +3558,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3518,32 +3593,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3553,34 +3628,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3589,19 +3664,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3609,24 +3684,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3635,24 +3710,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3662,14 +3737,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3677,21 +3752,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3699,7 +3774,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3708,7 +3783,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3717,7 +3792,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3725,29 +3800,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3755,12 +3830,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3769,12 +3844,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3782,19 +3857,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3811,7 +3886,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3819,17 +3894,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3838,7 +3913,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3848,7 +3923,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3868,12 +3943,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3881,73 +3956,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3955,17 +4030,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3974,17 +4049,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -3992,17 +4067,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4010,17 +4085,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4031,69 +4106,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4106,7 +4181,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4114,7 +4189,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4123,55 +4198,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4180,17 +4255,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4198,26 +4273,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4226,17 +4301,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4246,7 +4321,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4255,59 +4330,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4315,14 +4390,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4330,7 +4405,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4338,12 +4413,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4373,7 +4448,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4382,7 +4457,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4390,7 +4465,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4401,7 +4476,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4415,7 +4490,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4471,12 +4546,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4486,33 +4561,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4521,71 +4596,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4594,7 +4669,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4605,12 +4680,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4618,32 +4693,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4654,37 +4729,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4693,10725 +4768,10965 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1559 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1577 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 -msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 -msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 -msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 -msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 -msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 -msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:495 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:515 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:531 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:549 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 -msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 -msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:638 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:663 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:697 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:715 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:721 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 -msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:778 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:790 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:808 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 -msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 -msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#: sss_override.8.xml:32 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sss_override.8.xml:37 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 -msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "" -"The following options can be set in a subdomain section on an IPA client:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 -msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 -msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"ldap_id_mapping = False\n" -" " +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 -msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap -msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 -msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 -msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 -msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#: sssd-krb5.5.xml:77 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#: sssd-krb5.5.xml:106 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#: sssd-krb5.5.xml:138 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 -msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 -msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#: sssd-krb5.5.xml:154 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#: sssd-krb5.5.xml:216 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#: sssd-krb5.5.xml:243 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#: sssd-krb5.5.xml:257 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#: sssd-krb5.5.xml:275 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#: sssd-krb5.5.xml:288 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#: sssd-krb5.5.xml:293 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:309 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 -msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#: sssd-krb5.5.xml:344 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:364 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:379 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:419 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:508 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:524 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 -msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:542 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:551 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 #, no-wrap msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#: sssd-krb5.5.xml:65 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#: sssd-krb5.5.xml:606 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#: sss_userdel.8.xml:32 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 -msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 -msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sss_groupdel.8.xml:32 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_usermod.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 -msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#: sss_usermod.8.xml:152 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 -msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 -msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#: sss_cache.8.xml:68 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_cache.8.xml:90 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#: sss_cache.8.xml:112 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#: sss_cache.8.xml:119 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 -msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#: sss_cache.8.xml:134 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 -msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#: sss_cache.8.xml:186 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#: sss_cache.8.xml:201 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 -msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#: sss_seed.8.xml:68 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 -msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_seed.8.xml:140 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_seed.8.xml:148 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#: sss_seed.8.xml:153 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 -msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sssd-ifp.5.xml:53 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sssd-ifp.5.xml:63 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 -msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 -msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:81 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 -msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +#: sssd-ifp.5.xml:117 msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 -msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 -msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#: sss_rpcidmapd.5.xml:87 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:91 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#: sss_rpcidmapd.5.xml:100 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#: sssd-files.5.xml:99 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#: sssd-files.5.xml:114 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 -msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 +msgid "" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#: sssd-secrets.5.xml:75 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 -msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:95 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:122 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#: sssd-secrets.5.xml:144 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 -msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 -msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:207 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:219 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:278 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:323 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:385 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:424 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: sssd-secrets.5.xml:444 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:466 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 -msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:519 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:535 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 -msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:551 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +msgid "Default: 64" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-kcm.8.xml:237 +msgid "Default: 65536" msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 -msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 -msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-systemtap.5.xml:412 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 -msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 -msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 +msgid "" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 -msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 -msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 -msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -msgid "Default: 64" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -msgid "Default: 65536" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/ru.po b/src/man/po/ru.po index dc0e2c24bd6..2325daba0d3 100644 --- a/src/man/po/ru.po +++ b/src/man/po/ru.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-15 12:07+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/" @@ -32,7 +32,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Справка по SSSD" @@ -75,7 +75,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "ОПИСАНИЕ" @@ -134,7 +134,7 @@ msgstr "sssd.CONF" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -143,7 +143,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -294,12 +294,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -316,19 +316,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "По умолчанию: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -351,8 +355,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "По умолчанию: 10" @@ -367,7 +371,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -415,19 +419,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "попыток_соединения (целое число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "По умолчанию: 3" @@ -447,7 +451,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -467,12 +471,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -480,39 +484,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -527,20 +531,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -548,52 +563,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -606,17 +621,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -626,7 +641,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -639,23 +654,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -665,7 +680,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -674,22 +689,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -697,69 +712,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "По умолчанию: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -767,19 +801,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -787,24 +821,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -813,7 +847,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -821,8 +855,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -830,68 +878,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -902,7 +950,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -919,7 +967,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -936,12 +984,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -950,22 +998,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -975,17 +1023,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -995,18 +1043,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1014,24 +1062,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1039,12 +1087,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1056,58 +1104,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "По умолчанию: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1115,7 +1163,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1125,7 +1173,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1134,17 +1182,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1152,17 +1200,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "По умолчанию: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1170,17 +1218,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1189,7 +1237,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1198,41 +1246,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "По умолчанию: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1240,23 +1288,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1264,47 +1312,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1312,112 +1360,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1428,96 +1476,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "По умолчанию: 0 (неограничено)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1525,59 +1573,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "По умолчанию: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "В настоящее время sssd поддерживает следующие значения:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "По умолчанию: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1586,61 +1634,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1648,7 +1696,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1657,17 +1705,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1675,31 +1723,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1709,75 +1757,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1785,19 +1833,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1805,12 +1853,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1818,77 +1866,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1896,7 +1944,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1908,63 +1956,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1972,12 +2020,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1988,7 +2036,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1996,7 +2044,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2004,7 +2052,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2013,12 +2061,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2029,24 +2077,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2056,22 +2104,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2079,51 +2127,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2132,24 +2180,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2160,7 +2235,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2171,24 +2246,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2196,12 +2271,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2210,24 +2285,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2237,66 +2312,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2304,17 +2379,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2322,7 +2397,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2330,22 +2405,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2354,14 +2429,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2370,38 +2445,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2410,24 +2485,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2436,29 +2511,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "По умолчанию: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2472,14 +2547,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2488,39 +2563,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2529,19 +2604,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2552,115 +2627,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2669,42 +2744,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2712,24 +2787,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2738,17 +2813,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2757,34 +2832,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2792,7 +2867,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2800,8 +2875,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2810,8 +2885,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2819,19 +2894,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2840,7 +2915,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2848,22 +2923,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2875,7 +2950,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2883,19 +2958,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2903,7 +2978,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2911,35 +2986,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2947,19 +3022,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2968,7 +3043,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2976,29 +3051,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3006,7 +3081,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3014,35 +3089,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3050,32 +3125,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3086,7 +3161,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3095,12 +3170,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3108,7 +3183,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3116,31 +3191,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3148,7 +3223,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3157,17 +3232,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3175,43 +3250,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3219,7 +3294,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3227,7 +3302,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3235,24 +3310,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3260,12 +3335,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3275,7 +3350,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3284,29 +3359,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3314,7 +3389,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3324,59 +3399,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "По умолчанию: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Поддерживаемые значения:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3385,77 +3460,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "По умолчанию: использовать доменное имя из hostname" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3463,7 +3538,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3472,17 +3547,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3490,34 +3565,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3525,32 +3600,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3560,34 +3635,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3596,19 +3671,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3616,24 +3691,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3642,24 +3717,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3669,14 +3744,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3684,21 +3759,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3706,7 +3781,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3715,7 +3790,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3724,7 +3799,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3732,29 +3807,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3762,12 +3837,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3776,12 +3851,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3789,19 +3864,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3818,7 +3893,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3826,17 +3901,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3845,7 +3920,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3855,7 +3930,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3875,12 +3950,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3888,73 +3963,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "По умолчанию: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "По умолчанию: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3962,17 +4037,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "По умолчанию: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3981,17 +4056,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "По умолчанию: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -3999,17 +4074,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "По умолчанию: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4017,17 +4092,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4038,69 +4113,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4113,7 +4188,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4121,7 +4196,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4130,55 +4205,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4187,17 +4262,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4205,26 +4280,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4233,17 +4308,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4253,7 +4328,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4262,59 +4337,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4322,14 +4397,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4337,7 +4412,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4345,12 +4420,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4380,7 +4455,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4389,7 +4464,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4397,7 +4472,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4408,7 +4483,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4422,7 +4497,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4478,12 +4553,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "ПАРАМЕТРЫ КОНФИГУРАЦИИ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4493,33 +4568,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4528,71 +4603,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4601,7 +4676,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4612,12 +4687,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4625,32 +4700,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4661,37 +4736,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "По умолчанию: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4700,10729 +4775,10969 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "пароль" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "По умолчанию: posixAccount" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "По умолчанию: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "По умолчанию: loginShell" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "По умолчанию: modifyTimestamp" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "По умолчанию: shadowWarning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +#: sssd-ldap.5.xml:542 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:548 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "По умолчанию: shadowInactive" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "По умолчанию: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:974 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1062 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 -msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1092 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1106 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1121 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 -msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1148 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1153 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1170 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1234 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1308 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 -msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#: sssd-ldap.5.xml:1559 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#: sssd-ldap.5.xml:1577 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 -msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 -msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 -msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 -msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "ПРИМЕР" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 -msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 -msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 -msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 +msgid "" +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 -msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 -msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 -msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#: sssd-simple.5.xml:100 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 -msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 -msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 -msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 -msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 -msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "ПРИМЕР" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 -msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 -msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 -msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 -msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 +msgid "" +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#: sssd-ipa.5.xml:335 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 -msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 -msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 -msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 -msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:643 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#: sssd-ipa.5.xml:656 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#: sssd-ipa.5.xml:805 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#: sssd-ipa.5.xml:817 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#: sssd-ipa.5.xml:821 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 -msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 -msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:417 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 -msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:475 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:495 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#: sssd-ad.5.xml:515 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:531 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:549 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:554 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 -msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:638 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:657 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:663 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 -msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:697 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:715 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 -msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:755 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:790 +msgid "" +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:808 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:901 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:927 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 -msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 -msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 -msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +#: sssd.8.xml:259 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sss_obfuscate.8.xml:32 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sss_obfuscate.8.xml:37 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sss_obfuscate.8.xml:49 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sss_override.8.xml:52 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"ldap_id_mapping = False\n" -" " +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 -msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 -msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 -msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 -msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 -msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 -msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#: sssd-krb5.5.xml:77 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#: sssd-krb5.5.xml:106 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#: sssd-krb5.5.xml:116 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#: sssd-krb5.5.xml:138 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 -msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:154 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#: sssd-krb5.5.xml:208 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#: sssd-krb5.5.xml:225 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:243 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:275 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:288 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:344 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:364 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:379 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +msgid "" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 -msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#: sssd-krb5.5.xml:65 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sssd-krb5.5.xml:606 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_userdel.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_userdel.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#: sss_userdel.8.xml:72 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_usermod.8.xml:96 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_usermod.8.xml:152 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_cache.8.xml:31 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_cache.8.xml:68 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#: sss_cache.8.xml:75 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:141 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:156 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:163 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_seed.8.xml:46 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#: sss_seed.8.xml:51 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_seed.8.xml:117 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_seed.8.xml:153 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sssd-ifp.5.xml:36 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:53 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sssd-ifp.5.xml:63 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sssd-ifp.5.xml:81 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sssd-ifp.5.xml:117 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:139 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:39 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "СМ. ТАКЖЕ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 -msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 -msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 -msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 -msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 +msgid "" +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 -msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#: sssd-files.5.xml:114 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 -msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 +msgid "" +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:45 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:55 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap -msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssd-secrets.5.xml:61 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 -msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:231 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 -msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 -msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:372 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 -msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:398 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 -msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:466 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 -msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#: sssd-secrets.5.xml:519 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 -msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:23 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:31 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 -msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:67 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:76 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 +msgid "" +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 -msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 -msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 64" +msgstr "По умолчанию: 3" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 65536" +msgstr "По умолчанию: 3" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#: sssd-systemtap.5.xml:23 msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#: sssd-systemtap.5.xml:32 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 -#, no-wrap -msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "СМ. ТАКЖЕ" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 -msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 -msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap +msgid "" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 #, no-wrap msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 -msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 +#: sssd-systemtap.5.xml:412 msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#: sssd-ldap-attributes.5.xml:23 msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "По умолчанию: posixAccount" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "По умолчанию: gecos" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 -msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 -msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "По умолчанию: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "По умолчанию: modifyTimestamp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "По умолчанию: shadowWarning" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "По умолчанию: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "По умолчанию: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 64" -msgstr "По умолчанию: 3" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 65536" -msgstr "По умолчанию: 3" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot index c9c21d4b380..fac55fd725b 100644 --- a/src/man/po/sssd-docs.pot +++ b/src/man/po/sssd-docs.pot @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: sssd-docs 2.2.2\n" +"Project-Id-Version: sssd-docs 2.2.3\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 12:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:29+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -18,7 +18,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" #. type: Content of: <reference><title> -#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "" @@ -46,7 +46,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:63 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:63 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "" @@ -98,12 +98,12 @@ msgid "sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 sssd-systemtap.5.xml:11 +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "" #. type: Content of: <reference><refentry><refmeta><refmiscinfo> -#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -254,7 +254,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -271,12 +271,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -299,7 +299,7 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -314,7 +314,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -363,19 +363,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "" @@ -395,7 +395,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -415,12 +415,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes " @@ -429,39 +429,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -476,20 +476,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -497,52 +508,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at " "build-time. (__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -555,17 +566,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -575,7 +586,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log " @@ -588,17 +599,17 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -608,7 +619,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -617,22 +628,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -640,66 +651,85 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 msgid "Default: sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -707,19 +737,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -727,24 +757,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> " @@ -753,7 +783,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -761,8 +791,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " @@ -770,68 +814,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -842,7 +886,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -859,7 +903,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -875,12 +919,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -889,22 +933,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -914,17 +958,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -934,17 +978,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -952,24 +996,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -977,12 +1021,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -994,58 +1038,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) " "service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1053,7 +1097,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1063,7 +1107,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1072,17 +1116,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1090,17 +1134,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1108,17 +1152,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1127,7 +1171,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1136,39 +1180,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1176,22 +1220,22 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 sssd-krb5.5.xml:573 include/override_homedir.xml:59 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1199,46 +1243,46 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in " "<quote>/etc/shells</quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in " "<quote>/etc/shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1246,56 +1290,56 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the " "machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during " "lookup. This option can be specified globally in the [nss] section or " @@ -1303,57 +1347,57 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1365,96 +1409,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1462,59 +1506,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during " "authentication. The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1523,61 +1567,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1585,7 +1629,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a " @@ -1595,17 +1639,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1613,7 +1657,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be " @@ -1621,24 +1665,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting " "<emphasis>pwd_expiration_warning</emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1648,72 +1692,72 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1721,19 +1765,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1741,12 +1785,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1754,75 +1798,75 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1830,7 +1874,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1842,62 +1886,62 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1905,12 +1949,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1921,7 +1965,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1929,7 +1973,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -1937,7 +1981,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -1946,12 +1990,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> " @@ -1963,24 +2007,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -1991,22 +2035,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2014,51 +2058,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2068,24 +2112,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2096,7 +2167,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2107,24 +2178,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2132,12 +2203,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2146,24 +2217,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> " @@ -2174,66 +2245,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording " "enabled. Matches user names as returned by NSS. I.e. after the possible " @@ -2241,17 +2312,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2259,7 +2330,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2267,22 +2338,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2291,14 +2362,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2307,38 +2378,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For " @@ -2347,24 +2418,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2373,29 +2444,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2409,14 +2480,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2425,39 +2496,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2466,19 +2537,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2489,113 +2560,113 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2604,42 +2675,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2647,24 +2718,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2673,17 +2744,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2692,34 +2763,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> " "<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> " @@ -2728,7 +2799,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " @@ -2736,7 +2807,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2745,7 +2816,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " @@ -2753,19 +2824,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified " "names. For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2774,7 +2845,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2782,22 +2853,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2809,7 +2880,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2817,19 +2888,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " @@ -2837,7 +2908,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " @@ -2845,34 +2916,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2880,19 +2951,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> " @@ -2901,7 +2972,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> " @@ -2910,29 +2981,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " @@ -2941,7 +3012,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " @@ -2949,34 +3020,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " @@ -2984,31 +3055,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3019,7 +3090,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3028,12 +3099,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3041,7 +3112,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3050,31 +3121,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3083,7 +3154,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3092,17 +3163,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3110,41 +3181,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " @@ -3152,7 +3223,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> " @@ -3160,7 +3231,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " @@ -3168,24 +3239,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3194,12 +3265,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3209,7 +3280,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: " "<quote>(((?P<domain>[^\\\\]+)\\\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\\\]+)$))</quote> " @@ -3217,29 +3288,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3247,7 +3318,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3257,59 +3328,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is " @@ -3318,76 +3389,76 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 sssd-krb5.5.xml:248 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3395,7 +3466,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase " "condition=\"enable_local_provider\"> At the moment, this option is not " @@ -3404,17 +3475,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3422,34 +3493,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3457,32 +3528,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3492,32 +3563,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3526,19 +3597,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3546,24 +3617,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3572,24 +3643,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3599,14 +3670,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3614,21 +3685,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3636,7 +3707,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3645,7 +3716,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3654,7 +3725,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called " @@ -3663,29 +3734,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3693,12 +3764,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3707,12 +3778,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3720,19 +3791,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> " "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " @@ -3750,7 +3821,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3758,17 +3829,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3777,7 +3848,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3787,7 +3858,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3807,12 +3878,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3820,73 +3891,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3894,17 +3965,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3913,17 +3984,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -3931,17 +4002,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -3949,17 +4020,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called " @@ -3970,69 +4041,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4046,7 +4117,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4054,7 +4125,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like " @@ -4063,55 +4134,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4120,17 +4191,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4138,26 +4209,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like " @@ -4166,17 +4237,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file " "(<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>) exists " @@ -4186,7 +4257,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4195,59 +4266,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4255,14 +4326,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " @@ -4271,7 +4342,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, " "e.g. <quote>[prompting/password/sshd]</quote> to individual change the " @@ -4279,12 +4350,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4314,7 +4385,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4323,7 +4394,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4331,7 +4402,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4342,7 +4413,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4357,7 +4428,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4412,12 +4483,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the " @@ -4428,32 +4499,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a " @@ -4462,70 +4533,70 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by " "http://www.ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = " "cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4534,7 +4605,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4545,12 +4616,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4558,32 +4629,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4594,37 +4665,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4633,10750 +4704,10988 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups " +"(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD " +"will follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:359 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:386 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the " -"<quote>ldap</quote> provider with ID mapping." +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#: sssd-ldap.5.xml:430 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:445 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " +"<manvolnum>2</manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:487 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> counterpart (date of the last password change)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value " +"vs. the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> counterpart (minimum password age)." +"Specify the number of records to retrieve from LDAP in a single " +"request. Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> counterpart (maximum password age)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> counterpart (password warning period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use " +"it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 -msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> counterpart (password inactivity period)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> counterpart (account expiration " -"date)." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to " +"0. Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:664 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 -msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in " +"<filename>/etc/openldap/ldap.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:698 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:741 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +#: sssd-ldap.5.xml:757 +msgid "" +"Specifies that the id_provider connection must also use <systemitem " +"class=\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 +#: sssd-ldap.5.xml:770 msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP " -"schemas." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:789 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#: sssd-ldap.5.xml:810 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:814 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>phone</quote> to the cache." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example " +"host/myhost). By default, the value is not set and the following principals " +"are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them " +"are found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:862 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:877 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 -msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#: sssd-ldap.5.xml:904 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:919 +msgid "" +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is " +"used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of " +"preference. For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option " -"<emphasis>must</emphasis> include <quote>authorized_service</quote> in order " -"for the ldap_user_authorized_service option to work." +"This option was named <quote>krb5_kdcip</quote> in earlier releases of " +"SSSD. While the legacy name is recognized for the time being, users are " +"advised to migrate their config files to use <quote>krb5_server</quote> " +"instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login " -"process. Therefore when using service-based access control, the " -"<quote>systemd-user</quote> service might need to be added to the list of " -"allowed services." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:974 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Please note that the ldap_access_order configuration option " -"<emphasis>must</emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more information on " +"the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:1017 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Select the policy to evaluate the password expiration on the client " +"side. The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:1022 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:1027 msgid "" -"Please note that the ldap_access_order configuration option " -"<emphasis>must</emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +"<emphasis>shadow</emphasis> - Use " +"<citerefentry><refentrytitle>shadow</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> style attributes to evaluate if the " +"password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1057 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1148 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1153 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1174 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1184 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1196 msgid "" -"If ldap_schema is set to a schema format that supports nested groups " -"(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD " -"will follow. This option has no effect on the RFC2307 schema." +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, " +"<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check " +"if access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1202 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is " +"allowed. If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1211 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 -msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the " +"<quote>ppolicy</quote> option and might be removed in a future release. " +"</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1290 +msgid "Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 -msgid "The LDAP attribute that contains the (host, user, domain) netgroup triples." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control " +"option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1350 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1389 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for full details. Note " +"that SSSD LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#: sssd-ldap.5.xml:1449 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 -msgid "The LDAP attribute that contains the protocols understood by this service." +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval " +"</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1468 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1474 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1478 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " -"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " -"<manvolnum>2</manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> " -"</citerefentry> returns in case of no activity." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 sssd-ldap.5.xml:1581 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is " +"<emphasis>false</emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1536 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value " -"vs. the TGT lifetime) will be used." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1559 msgid "" -"Specify the number of records to retrieve from LDAP in a single " -"request. Some LDAP servers enforce a maximum limit per-request." -msgstr "" - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1577 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use " -"it." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to " -"0. Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder " +"type=\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in " -"<filename>/etc/openldap/ldap.conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> " +"<replaceable>quiet</replaceable> </arg> <arg choice='opt'> " +"<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> " +"<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> " +"<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> " +"<replaceable>retry=N</replaceable> </arg> <arg choice='opt'> " +"<replaceable>ignore_unknown_user</replaceable> </arg> <arg choice='opt'> " +"<replaceable>ignore_authinfo_unavail</replaceable> </arg> <arg choice='opt'> " +"<replaceable>domains=X</replaceable> </arg> <arg choice='opt'> " +"<replaceable>allow_missing_name</replaceable> </arg> <arg choice='opt'> " +"<replaceable>prompt_always</replaceable> </arg> <arg choice='opt'> " +"<replaceable>try_cert_auth</replaceable> </arg> <arg choice='opt'> " +"<replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 -msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specifies that the id_provider connection must also use <systemitem " -"class=\"protocol\">tls</systemitem> to protect the channel." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied " +"access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for details." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example " -"host/myhost). By default, the value is not set and the following principals " -"are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them " -"are found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for more information on " +"these two PAM responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is " -"used." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 +msgid "" +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of " -"preference. For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 -msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of " -"SSSD. While the legacy name is recognized for the time being, users are " -"advised to migrate their config files to use <quote>krb5_server</quote> " -"instead." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be " +"displayed. This message can e.g. contain instructions about how to reset a " +"password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file " +"<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a " +"locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> " +"</citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"These files are searched in the directory " +"<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file " +"is present a generic message is displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 -msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> configuration file." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"See the <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more information on " -"the locator plugin." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Select the policy to evaluate the password expiration on the client " -"side. The following values are allowed:" +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable " +"it. But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use " -"<citerefentry><refentrytitle>shadow</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> style attributes to evaluate if the " -"password has expired." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify " +"read-write KDCs. If this file exists for the given realm the content will be " +"used by the plugin to reply to requests for a kpasswd or kadmin server or " +"for the MIT Kerberos specific master KDC. If the address contains a port " +"number the default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> " -"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 -msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 -msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#: sssd-simple.5.xml:100 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 -msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, " -"<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check " -"if access is allowed or not." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is " -"allowed. If both attributes are missing access is granted." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"Please note that the ldap_access_order configuration option " -"<emphasis>must</emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"The following example assumes that SSSD is correctly configured and " +"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " +"section. This examples shows only the simple access provider-specific " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"<emphasis> Please note that this option is superseded by the " -"<quote>ppolicy</quote> option and might be removed in a future release. " -"</emphasis>" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 -msgid "Note If user password is expired no explicit message is prompted by SSSD." +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain " +"list</quote>. All components are optional. A missing <quote>priority</quote> " +"will add the rule with the lowest priority. The default <quote>matching " +"rule</quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 -msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control " -"option" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to " +"match. Multiple keyword pattern pairs can be either joined with '&&' " +"(and) or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"With this a part or the whole issuer name of the certificate can be " +"matched. All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 -msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as " +"<SAN:Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in " +"dotted-decimal notation, interpret it as string and try to match it against " +"the regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval " -"</emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for " +"<ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is " -"<emphasis>false</emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry>" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: " +"(ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise " -"automountMapName" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +"Example: " +"(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder " -"type=\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" " -"id=\"2\"/> <placeholder type=\"variablelist\" id=\"3\"/> <placeholder " -"type=\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" " -"id=\"5\"/>" +"Example: " +"(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: " +"(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: " +"(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder " -"type=\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> " -"<replaceable>quiet</replaceable> </arg> <arg choice='opt'> " -"<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> " -"<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> " -"<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> " -"<replaceable>retry=N</replaceable> </arg> <arg choice='opt'> " -"<replaceable>ignore_unknown_user</replaceable> </arg> <arg choice='opt'> " -"<replaceable>ignore_authinfo_unavail</replaceable> </arg> <arg choice='opt'> " -"<replaceable>domains=X</replaceable> </arg> <arg choice='opt'> " -"<replaceable>allow_missing_name</replaceable> </arg> <arg choice='opt'> " -"<replaceable>prompt_always</replaceable> </arg> <arg choice='opt'> " -"<replaceable>try_cert_auth</replaceable> </arg> <arg choice='opt'> " -"<replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied " -"access." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 -msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> identity provider and the <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> authentication provider with optimizations for IPA " +"environments. The IPA provider accepts the same options used by the " +"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " +"neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to " +"<quote>ipa</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page for more information on " -"these two PAM responder options." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the " +"<quote>dyndns_iface</quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for details." +"NOTE: While it is still possible to use the old " +"<emphasis>ipa_dyndns_update</emphasis> option, users should migrate to using " +"<emphasis>dyndns_update</emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 -msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"NOTE: While it is still possible to use the old " +"<emphasis>ipa_dyndns_ttl</emphasis> option, users should migrate to using " +"<emphasis>dyndns_ttl</emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be " -"displayed. This message can e.g. contain instructions about how to reset a " -"password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"The message is read from the file " -"<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a " -"locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> " -"</citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"These files are searched in the directory " -"<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file " -"is present a generic message is displayed." +"NOTE: While it is still possible to use the old " +"<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using " +"<emphasis>dyndns_iface</emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 -msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable " -"it. But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 -msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains " +"\"_location.hostname.example.com\" and then fall back to traditional SRV " +"discovery. If the location based discovery succeeds, the IPA servers located " +"with the location based discovery are treated as primary servers and the IPA " +"servers located using the traditional SRV discovery are used as back up " +"servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify " -"read-write KDCs. If this file exists for the given realm the content will be " -"used by the plugin to reply to requests for a kpasswd or kadmin server or " -"for the MIT Kerberos specific master KDC. If the address contains a port " -"number the default KDC port 88 will be used for the latter." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and " -"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " -"section. This examples shows only the simple access provider-specific " -"options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 -msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain " -"list</quote>. All components are optional. A missing <quote>priority</quote> " -"will add the rule with the lowest priority. The default <quote>matching " -"rule</quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to " -"match. Multiple keyword pattern pairs can be either joined with '&&' " -"(and) or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be " -"matched. All comments for <SUBJECT> apply her as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +"The amount of time between lookups of the HBAC rules against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as " -"<SAN:Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in " -"dotted-decimal notation, interpret it as string and try to match it against " -"the regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of " +"sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"Match the value of the directoryName SAN. The same comments as given for " -"<ISSUER> and <SUBJECT> apply here as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#: sssd-ipa.5.xml:805 +msgid "The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#: sssd-ipa.5.xml:817 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#: sssd-ipa.5.xml:821 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to " +"<quote>kdcinfo</quote> files read by the Kerberos locator plugin. Please " +"refer to the <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The following example assumes that SSSD is correctly configured and " +"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " +"section. This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 -msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 -msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The AD provider is a back end used to connect to an Active Directory " +"server. This provider requires that the machine be joined to the AD domain " +"and a keytab is available. Back end communication occurs over a " +"GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD " +"provider and will be superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Example: " -"(ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!ad})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"The AD provider supports connecting to Active Directory 2008 R2 or " +"later. Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always " +"auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"Example: " -"(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})" +"The AD provider enables SSSD to use the <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> identity provider and the <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> authentication provider with optimizations for Active " +"Directory environments. The AD provider accepts the same options used by the " +"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " +"neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to " +"<quote>ad</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: " -"(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))" +"Users, groups and other entities served by SSSD are always treated as " +"case-insensitive in the AD provider for compatibility with Active " +"Directory's LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: " -"(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"Example: " -"(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 -msgid "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the " +"<quote>access_provider</quote> option must be explicitly set to " +"<quote>ad</quote> in order for this option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or " +"forest. This extended filter would consist of: " +"<quote>KEYWORD:NAME:FILTER</quote>. The keyword can be either " +"<quote>DOM</quote>, <quote>FOREST</quote> or missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then " +"<quote>NAME</quote> specifies the domain or subdomain the filter applies " +"to. If the keyword equals to <quote>FOREST</quote>, then the filter equals " +"to all domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full " +"DOM:domain.example.org: syntax to ensure the parser does not attempt to " +"interpret the colon characters associated with the OID. If you do not use " +"this OID then nested group membership will not be resolved. See usage " +"example below and refer here for further information about the OID: <ulink " +"url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] " +"section LDAP extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the " +"per-domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> identity provider and the <citerefentry> " -"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> authentication provider with optimizations for IPA " -"environments. The IPA provider accepts the same options used by the " -"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " -"neither necessary nor recommended to set these options." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to " -"<quote>ipa</quote>." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:410 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:417 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> " +"<refentrytitle>sssctl</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the " -"<quote>dyndns_iface</quote> option." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 -msgid "" -"NOTE: While it is still possible to use the old " -"<emphasis>ipa_dyndns_update</emphasis> option, users should migrate to using " -"<emphasis>dyndns_update</emphasis> in their config file." +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:475 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"Normally when no applicable GPOs are found the users are allowed " +"access. When this option is set to True users will be allowed access only " +"when explicitly allowed by a GPO rule. Otherwise users will be denied " +"access. This can be used to harden security but be careful when using this " +"option because it can deny access even to users in the built-in " +"Administrators group if no GPO rules apply to them." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old " -"<emphasis>ipa_dyndns_ttl</emphasis> option, users should migrate to using " -"<emphasis>dyndns_ttl</emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#: sssd-ad.5.xml:495 +msgid "" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:515 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old " -"<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using " -"<emphasis>dyndns_iface</emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:531 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:549 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:554 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>login</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains " -"\"_location.hostname.example.com\" and then fall back to traditional SRV " -"discovery. If the location based discovery succeeds, the IPA servers located " -"with the location based discovery are treated as primary servers and the IPA " -"servers located using the traditional SRV discovery are used as back up " -"servers" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:638 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote " +"access. If at least one evaluated GPO contains remote interactive logon " +"right settings, the user is granted remote access only, if it or at least " +"one of its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:657 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:663 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>sshd</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:697 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:715 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>ftp</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 -msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:755 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny batch logon setting for the user or one of its groups, the user is " +"denied batch logon access. If none of the evaluated GPOs has a batch logon " +"right defined, the user is granted logon access. If at least one evaluated " +"GPO contains batch logon right settings, the user is granted logon access " +"only, if it or at least one of its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>crond</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:790 +msgid "Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:808 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using " +"<quote>+service_name</quote>. Since the default set is empty, it is not " +"possible to remove a PAM service name from the default set. For example, in " +"order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), " +"you would use the following configuration: <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:901 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:927 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many access-control requests made in a short period." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"This option should only be used to test the machine account renewal " +"task. The option expects 2 integers separated by a colon (':'). The first " +"integer defines the interval in seconds how often the task is run. The " +"second specifies the initial timeout in seconds before the task is run for " +"the first time after startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1022 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 -msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#: sssd-ad.5.xml:1068 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 -msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 +msgid "" +"The following example assumes that SSSD is correctly configured and " +"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " +"section. This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> file (which should contain rules " +"that apply to local users) and then in SSSD, the nsswitch.conf file should " +"contain the following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> to your NIS domain name (which equals to IPA domain name " +"when using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. To speed up the LDAP lookups, you " +"can also set search base for sudo rules using " +"<emphasis>ldap_sudo_search_base</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase " +"condition=\"have_systemd\"> It's important to note that on platforms where " +"systemd is supported there's no need to add the \"sudo\" provider to the " +"list of services, as it became optional. However, sssd-sudo.socket must be " +"enabled instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree " +"(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the " +"server. This is used to keep the cache consistent by removing every rule " +"which was deleted from the server. However, full refresh may produce a lot " +"of traffic and thus it should be run only occasionally depending on the size " +"and stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs " +"sudo. Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been " +"deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this " +"machine. This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> and \"sudo_*\" in <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> " +"<replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by " +"<option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 -msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is " +"<filename>/etc/sssd/sssd.conf</filename>. For reference on the config file " +"syntax and options, consult the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 -msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of " -"sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sssd.8.xml:259 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +"<command>sss_obfuscate</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>[PASSWORD]</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sss_obfuscate.8.xml:32 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"<command>sss_obfuscate</command> converts a given password into " +"human-unreadable format and places it into appropriate domain section of the " +"SSSD config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more details on these parameters." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> " +"<replaceable>DOMAIN</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is " +"<quote>default</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 -msgid "The following options can be set in a subdomain section on an IPA client:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 -msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to " -"<quote>kdcinfo</quote> files read by the Kerberos locator plugin. Please " -"refer to the <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"<command>sss_override</command> <arg " +"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sss_override.8.xml:32 msgid "" -"The following example assumes that SSSD is correctly configured and " -"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " -"section. This examples shows only the ipa provider-specific options." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#: sss_override.8.xml:52 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"The AD provider is a back end used to connect to an Active Directory " -"server. This provider requires that the machine be joined to the AD domain " -"and a keytab is available. Back end communication occurs over a " -"GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD " -"provider and will be superseded by Kerberos usage." +"<option>user-add</option> <emphasis>NAME</emphasis> " +"<optional><option>-n,--name</option> NAME</optional> " +"<optional><option>-u,--uid</option> UID</optional> " +"<optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> " +"<optional><option>-s,--shell</option> SHELL</optional> " +"<optional><option>-c,--gecos</option> GECOS</optional> " +"<optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or " -"later. Earlier versions may work, but are unsupported." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always " -"auto-discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"The AD provider enables SSSD to use the <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> identity provider and the <citerefentry> " -"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> authentication provider with optimizations for Active " -"Directory environments. The AD provider accepts the same options used by the " -"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " -"neither necessary nor recommended to set these options." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"<option>user-find</option> <optional><option>-d,--domain</option> " +"DOMAIN</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to " -"<quote>ad</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap -msgid "" -"ldap_id_mapping = False\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"Users, groups and other entities served by SSSD are always treated as " -"case-insensitive in the AD provider for compatibility with Active " -"Directory's LDAP implementation." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 -msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"Export all overridden attributes and store them in " +"<emphasis>FILE</emphasis>. See <emphasis>user-import</emphasis> for data " +"format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"<option>group-add</option> <emphasis>NAME</emphasis> " +"<optional><option>-n,--name</option> NAME</optional> " +"<optional><option>-g,--gid</option> GID</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"<option>group-find</option> <optional><option>-d,--domain</option> " +"DOMAIN</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 -msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the " -"<quote>access_provider</quote> option must be explicitly set to " -"<quote>ad</quote> in order for this option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or " -"forest. This extended filter would consist of: " -"<quote>KEYWORD:NAME:FILTER</quote>. The keyword can be either " -"<quote>DOM</quote>, <quote>FOREST</quote> or missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then " -"<quote>NAME</quote> specifies the domain or subdomain the filter applies " -"to. If the keyword equals to <quote>FOREST</quote>, then the filter equals " -"to all domains from the forest specified by <quote>NAME</quote>." +"Export all overridden attributes and store them in " +"<emphasis>FILE</emphasis>. See <emphasis>group-import</emphasis> for data " +"format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 -msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 -msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full " -"DOM:domain.example.org: syntax to ensure the parser does not attempt to " -"interpret the colon characters associated with the OID. If you do not use " -"this OID then nested group membership will not be resolved. See usage " -"example below and refer here for further information about the OID: <ulink " -"url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] " -"section LDAP extensions</ulink>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the " -"per-domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"<command>sss_useradd</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>LOGIN</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-c</option>,<option>--gecos</option> " +"<replaceable>COMMENT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"<option>-h</option>,<option>--home</option> " +"<replaceable>HOME_DIR</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with " +"<quote>user_defaults/baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<option>-s</option>,<option>--shell</option> " +"<replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"The user's login shell. The default is currently " +"<filename>/bin/bash</filename>. The default can be changed with " +"<quote>user_defaults/defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> " +"<replaceable>GROUPS</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 -msgid "disabled: GPO-based access control rules are neither evaluated nor enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> " +"<replaceable>SKELDIR</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"Normally when no applicable GPOs are found the users are allowed " -"access. When this option is set to True users will be allowed access only " -"when explicitly allowed by a GPO rule. Otherwise users will be denied " -"access. This can be used to harden security but be careful when using this " -"option because it can deny access even to users in the built-in " -"Administrators group if no GPO rules apply to them." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"This option is only valid if the <option>-m</option> (or " +"<option>--create-home</option>) option is specified, or creation of home " +"directories is set to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, please refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right " -"(e.g. <quote>login</quote>) with a custom pam service name " -"(e.g. <quote>my_pam_service</quote>), you would use the following " -"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> " +"<refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry> for more details. Please note that an empty .k5login file " +"will deny all access to this user. To activate this feature, use " +"'access_provider = krb5' in your SSSD configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of " +"preference. For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#: sssd-krb5.5.xml:116 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#: sssd-krb5.5.xml:122 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#: sssd-krb5.5.xml:138 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right " -"(e.g. <quote>sshd</quote>) with a custom pam service name " -"(e.g. <quote>my_pam_service</quote>), you would use the following " -"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right " -"(e.g. <quote>ftp</quote>) with a custom pam service name " -"(e.g. <quote>my_pam_service</quote>), you would use the following " -"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right " -"(e.g. <quote>crond</quote>) with a custom pam service name " -"(e.g. <quote>my_pam_service</quote>), you would use the following " -"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 -msgid "Note: Cron service name may differ depending on Linux distribution used." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#: sssd-krb5.5.xml:154 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"When using KEYRING types, the only supported mechanism is " +"<quote>KEYRING:persistent:%U</quote>, which uses the Linux kernel keyring to " +"store credentials on a per-UID basis. This is also the recommended choice, " +"as it is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#: sssd-krb5.5.xml:216 msgid "" -"It is possible to add a PAM service name to the default set by using " -"<quote>+service_name</quote>. Since the default set is empty, it is not " -"possible to remove a PAM service name from the default set. For example, in " -"order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), " -"you would use the following configuration: <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> uses different expansion sequences " +"than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:243 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name " -"(e.g. <quote>my_pam_service</quote>), you would use the following " -"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:275 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:288 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:344 msgid "" -"This option should only be used to test the machine account renewal " -"task. The option expects 2 integers separated by a colon (':'). The first " -"integer defines the interval in seconds how often the task is run. The " -"second specifies the initial timeout in seconds before the task is run for " -"the first time after startup." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:364 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:369 +msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#: sssd-krb5.5.xml:379 msgid "" -"The following example assumes that SSSD is correctly configured and " -"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " -"section. This example shows only the AD provider-specific options." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Enables flexible authentication secure tunneling (FAST) for Kerberos " +"pre-authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> file (which should contain rules " -"that apply to local users) and then in SSSD, the nsswitch.conf file should " -"contain the following line:" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 -msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> to your NIS domain name (which equals to IPA domain name " -"when using hostgroups)." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>. To speed up the LDAP lookups, you " -"can also set search base for sudo rules using " -"<emphasis>ldap_sudo_search_base</emphasis> option." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. This might be helpful when there " +"are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a " +"colon. The first number represents number of primary servers used and the " +"second number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> but no backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase " -"condition=\"have_systemd\"> It's important to note that on platforms where " -"systemd is supported there's no need to add the \"sudo\" provider to the " -"list of services, as it became optional. However, sssd-sudo.socket must be " -"enabled instead. </phrase>" +"Specifies if the user principal should be treated as enterprise " +"principal. See section 5 of RFC 6806 for more details about enterprise " +"principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree " -"(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the " -"server. This is used to keep the cache consistent by removing every rule " -"which was deleted from the server. However, full refresh may produce a lot " -"of traffic and thus it should be run only occasionally depending on the size " -"and stability of the sudo rules." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. " +"<quote>richard@REALM</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#: sssd-krb5.5.xml:65 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs " -"sudo. Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been " -"deleted." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>, for " +"details on the configuration of an SSSD domain. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sssd-krb5.5.xml:606 msgid "" -"If enabled, SSSD will store only rules that can be applied to this " -"machine. This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> and \"sudo_*\" in <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry>." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 -msgid "" -"<command>sssd</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_userdel.8.xml:21 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_userdel</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>LOGIN</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"<option>-d</option>,<option>--debug-level</option> " -"<replaceable>LEVEL</replaceable>" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 -msgid "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by " -"<option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_groupdel</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_groupshow</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 -msgid "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>LOGIN</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"Specify a non-default config file. The default is " -"<filename>/etc/sssd/sssd.conf</filename>. For reference on the config file " -"syntax and options, consult the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the " +"<replaceable>GROUPS</replaceable> parameter. The " +"<replaceable>GROUPS</replaceable> parameter is a comma separated list of " +"group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_usermod.8.xml:96 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Remove this user from groups specified by the " +"<replaceable>GROUPS</replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_usermod.8.xml:152 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>[PASSWORD]</replaceable></arg>" +"<command>sss_cache</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_cache.8.xml:31 msgid "" -"<command>sss_obfuscate</command> converts a given password into " -"human-unreadable format and places it into appropriate domain section of the " -"SSSD config file." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:53 +msgid "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> " -"<replaceable>DOMAIN</replaceable>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_cache.8.xml:68 msgid "" -"The SSSD domain to use the password in. The default name is " -"<quote>default</quote>." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> " +"<replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> " +"<replaceable>netgroup</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg " -"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"<option>-s</option>,<option>--service</option> " +"<replaceable>service</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:141 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> " -"<optional><option>-n,--name</option> NAME</optional> " -"<optional><option>-u,--uid</option> UID</optional> " -"<optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> " -"<optional><option>-s,--shell</option> SHELL</optional> " -"<optional><option>-c,--gecos</option> GECOS</optional> " -"<optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-a</option>,<option>--autofs-map</option> " +"<replaceable>autofs-map</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:156 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:163 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> " -"DOMAIN</optional>" +"<option>-h</option>,<option>--ssh-host</option> " +"<replaceable>hostname</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> " +"<replaceable>rule</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:201 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> " +"<replaceable>domain</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 -msgid "" -"Export all overridden attributes and store them in " -"<emphasis>FILE</emphasis>. See <emphasis>user-import</emphasis> for data " -"format." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> " -"<optional><option>-n,--name</option> NAME</optional> " -"<optional><option>-g,--gid</option> GID</optional>" +"<command>sss_debuglevel</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>NEW_DEBUG_LEVEL</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 -msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> " -"DOMAIN</optional>" +"<command>sss_seed</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg choice='plain'>-D " +"<replaceable>DOMAIN</replaceable></arg> <arg choice='plain'>-n " +"<replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> " +"<replaceable>DOMAIN</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> " +"<replaceable>USER</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sss_seed.8.xml:68 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 -msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sss_seed.8.xml:117 +msgid "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_seed.8.xml:140 msgid "" -"Export all overridden attributes and store them in " -"<emphasis>FILE</emphasis>. See <emphasis>group-import</emphasis> for data " -"format." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>PASS_FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or " +"--password-file option) must be less than or equal to PASS_MAX bytes (64 " +"bytes on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>LOGIN</replaceable></arg>" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sssd-ifp.5.xml:36 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:53 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 -msgid "" -"<option>-c</option>,<option>--gecos</option> " -"<replaceable>COMMENT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sssd-ifp.5.xml:63 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> " -"<replaceable>HOME_DIR</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with " -"<quote>user_defaults/baseDirectory</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> " -"<replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently " -"<filename>/bin/bash</filename>. The default can be changed with " -"<quote>user_defaults/defaultShell</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> " -"<replaceable>GROUPS</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "Do not create the user's home directory. Overrides configuration settings." +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> and includes: <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-k</option>,<option>--skel</option> " -"<replaceable>SKELDIR</replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sssd-ifp.5.xml:117 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"It is possible to add another attribute to this set by using " +"<quote>+attr_name</quote> or explicitly remove an attribute using " +"<quote>-attr_name</quote>. For example, to allow " +"<quote>telephoneNumber</quote> but deny <quote>loginShell</quote>, you would " +"use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:139 msgid "" -"This option is only valid if the <option>-m</option> (or " -"<option>--create-home</option>) option is specified, or creation of home " -"directories is set to TRUE in the configuration." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<productname>sss rpc.idmapd plugin</productname> <author> " +"<firstname>Noam</firstname> <surname>Meltzer</surname> <affiliation> " +"<orgname>Primary Data Inc.</orgname> </affiliation> <contrib>Developer " +"(2013-2014)</contrib> </author> <author> <firstname>Noam</firstname> " +"<surname>Meltzer</surname> <contrib>Developer (2014-)</contrib> " +"<email>tsnoam@gmail.com</email> </author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, please refer to the " -"<quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:39 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"rpc.idmapd configuration file is usually found at " +"<emphasis>/etc/idmapd.conf</emphasis>. See <citerefentry> " +"<refentrytitle>idmapd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> " -"<refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry> for more details. Please note that an empty .k5login file " -"will deny all access to this user. To activate this feature, use " -"'access_provider = krb5' in your SSSD configuration." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of " -"preference. For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> can be configured to use " +"<command>sss_ssh_authorizedkeys</command> for public key user authentication " +"if it is compiled with support for <quote>AuthorizedKeysCommand</quote> " +"option. Please refer to the <citerefentry> " +"<refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> man page for more details about this " +"option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> can be configured to use it by " +"putting the following directives in <citerefentry> " +"<refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of " +"<filename>sssd.conf</filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details) or there is a " +"certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> or " +"<citerefentry><refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details) and the certificate is " +"valid SSSD will extract the public key from the certificate and convert it " +"into the format expected by sshd." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> for details) it might be irritating " +"that authentication is still working even if the related X.509 certificate " +"on the Smartcard is already expired because neither <command>ssh</command> " +"nor <command>sshd</command> will look at the certificate at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"When using KEYRING types, the only supported mechanism is " -"<quote>KEYRING:persistent:%U</quote>, which uses the Linux kernel keyring to " -"store credentials on a per-UID basis. This is also the recommended choice, " -"as it is the most secure and predictable method." +"Search for user public keys in SSSD domain " +"<replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 -msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> uses different expansion sequences " -"than SSSD." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is " +"returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> for more information) " +"<filename>/var/lib/sss/pubconf/known_hosts</filename> and establishes the " +"connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> can be configured to use " +"<command>sss_ssh_knownhostsproxy</command> for host key authentication by " +"using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> configuration: <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"Search for host public keys in SSSD domain " +"<replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 -msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and " +"SIDs. No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = " +"200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is " +"read-only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 -msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 -msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg " +"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND " +"--help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos " -"pre-authentication. The following options are supported:" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "Another reason is to provide efficient caching of local users and groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"SSSD never handles resolution of user/group \"root\". Also resolution of " +"UID/GID 0 is not handled by SSSD. Such requests are passed to next NSS " +"module (usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 +msgid "" +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for details on the " +"configuration of an SSSD domain. But the purpose of the files provider is to " +"expose the same data as the UNIX files, just through the SSSD " +"interfaces. Therefore not all generic domain options are " +"supported. Likewise, some global options, such as overriding the shell in " +"the <quote>nss</quote> section for all domains has no effect on the files " +"domain unless explicitly specified per-domain. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. This might be helpful when there " -"are too many servers discovered using SRV record." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a " -"colon. The first number represents number of primary servers used and the " -"second number specifies the number of backup servers." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> but no backup servers." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the user principal should be treated as enterprise " -"principal. See section 5 of RFC 6806 for more details about enterprise " -"principals." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with " +"them. The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#: sssd-secrets.5.xml:75 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. " -"<quote>richard@REALM</quote>." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:61 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>, for " -"details on the configuration of an SSSD domain. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:91 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The UNIX socket the SSSD responder listens on is located at " +"<filename>/var/run/secrets.socket</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry>. Unlike other SSSD responders, it cannot be started by " +"adding the <quote>secrets</quote> string to the <quote>service</quote> " +"directive. The systemd socket unit is called " +"<quote>sssd-secrets.socket</quote> and the corresponding service file is " +"called <quote>sssd-secrets.service</quote>. In order for the service to be " +"socket-activated, make sure the socket is enabled and active and the service " +"is enabled: <placeholder type=\"programlisting\" id=\"0\"/> Please note your " +"distribution may already configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>GROUP</replaceable></arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " +"addition, there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>LOGIN</replaceable></arg>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections " +"(e.g. <quote>[secrets/users/123]</quote> - see bottom of this manual page " +"for a full example using Custodia for a particular user) that define which " +"provider store the secrets for this particular user. The per-user " +"subsections should contain all options for that user's provider. Please note " +"that currently the global provider is always local, the proxy provider can " +"only be specified in a per-user section. The following providers are " +"supported: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 -msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:207 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:219 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored " +"per-UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>GROUP</replaceable></arg>" +"For example, to adjust quotas differently for both the " +"<quote>secrets</quote> and the <quote>kcm</quote> hives, configure the " +"following: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>GROUP</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:278 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the " +"<quote>username</quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>LOGIN</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 -msgid "" -"Append this user to groups specified by the " -"<replaceable>GROUPS</replaceable> parameter. The " -"<replaceable>GROUPS</replaceable> parameter is a comma separated list of " -"group names." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the " -"<replaceable>GROUPS</replaceable> parameter." +#: sssd-secrets.5.xml:323 +msgid "The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority " +"certificates. System default path is used if this option is not set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:385 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in " +"<quote>capath</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: sssd-secrets.5.xml:424 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to " +"<quote>application/octet-stream</quote>. Secrets stored with requests that " +"set the Content Type header to <quote>application/octet-stream</quote> are " +"base64-encoded when stored and decoded when retrieved, so it's not possible " +"to store a secret with one Content Type and retrieve with another. The " +"secret URI must begin with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> " -"<replaceable>group</replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder " +"type=\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret " +"value. If a secret with that name already exists, the response is a 409 HTTP " +"error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-n</option>,<option>--netgroup</option> " -"<replaceable>netgroup</replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder " +"type=\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 -msgid "" -"<option>-s</option>,<option>--service</option> " -"<replaceable>service</replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-a</option>,<option>--autofs-map</option> " -"<replaceable>autofs-map</replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> " -"<replaceable>hostname</replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> " -"<replaceable>rule</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on " +"http://localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<option>-d</option>,<option>--domain</option> " -"<replaceable>domain</replaceable>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>NEW_DEBUG_LEVEL</replaceable></arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<command>sss_seed</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg choice='plain'>-D " -"<replaceable>DOMAIN</replaceable></arg> <arg choice='plain'>-n " -"<replaceable>USER</replaceable></arg>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-D</option>,<option>--domain</option> " -"<replaceable>DOMAIN</replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> " -"<replaceable>USER</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> " +"</citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 -msgid "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> " -"<replaceable>PASS_FILE</replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or " -"--password-file option) must be less than or equal to PASS_MAX bytes (64 " -"bytes on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, The credentials cache name must be only <quote>KCM:</quote> " +"without any template expansions. For example: <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path " +"<replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure " +"the Kerberos library, change its <quote>kcm_socket</quote> option which is " +"described in the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry>. Unlike other SSSD services, it cannot be started by adding " +"the <quote>kcm</quote> string to the <quote>service</quote> directive. " +"<placeholder type=\"programlisting\" id=\"0\"/> Please note your " +"distribution may already configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at " +"<quote>/var/lib/sss/secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever " +"use-case doesn't work for you. The KCM logs will be generated at " +"<filename>/var/log/sssd/sssd_kcm.log</filename>. It is recommended to " +"disable the debug logs when you no longer need the debugging to be enabled " +"as the sssd-kcm service can generate quite a large amount of debugging " +"information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the " +"sssd.conf file. Please note that because the KCM service is typically " +"socket-activated, it is enough to just restart the <quote>sssd-kcm</quote> " +"service after changing options in the <quote>kcm</quote> section of " +"sssd.conf: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " +"addition, there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> " -"<manvolnum>3</manvolnum> </citerefentry> and includes: <placeholder " -"type=\"variablelist\" id=\"0\"/>" +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using " -"<quote>+attr_name</quote> or explicitly remove an attribute using " -"<quote>-attr_name</quote>. For example, to allow " -"<quote>telephoneNumber</quote> but deny <quote>loginShell</quote>, you would " -"use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +msgid "Default: 64" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-kcm.8.xml:237 +msgid "Default: 65536" msgstr "" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> " -"<firstname>Noam</firstname> <surname>Meltzer</surname> <affiliation> " -"<orgname>Primary Data Inc.</orgname> </affiliation> <contrib>Developer " -"(2013-2014)</contrib> </author> <author> <firstname>Noam</firstname> " -"<surname>Meltzer</surname> <contrib>Developer (2014-)</contrib> " -"<email>tsnoam@gmail.com</email> </author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at " -"<emphasis>/etc/idmapd.conf</emphasis>. See <citerefentry> " -"<refentrytitle>idmapd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in " +"/usr/share/systemtap/tapset/sssd.stp and " +"/usr/share/systemtap/tapset/sssd_functions.stp respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 -msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 -msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 -msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " -"</citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 -msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> " -"<manvolnum>8</manvolnum></citerefentry> for more information)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> " -"<manvolnum>8</manvolnum></citerefentry> can be configured to use " -"<command>sss_ssh_authorizedkeys</command> for public key user authentication " -"if it is compiled with support for <quote>AuthorizedKeysCommand</quote> " -"option. Please refer to the <citerefentry> " -"<refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> man page for more details about this " -"option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap -msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> " -"<manvolnum>8</manvolnum></citerefentry> can be configured to use it by " -"putting the following directives in <citerefentry> " -"<refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of " -"<filename>sssd.conf</filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in " -"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for details) or there is a " -"certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> " -"<manvolnum>8</manvolnum></citerefentry> or " -"<citerefentry><refentrytitle>sssd-ipa</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for details) and the certificate is " -"valid SSSD will extract the public key from the certificate and convert it " -"into the format expected by sshd." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 +msgid "" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap +msgid "" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for details)." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> " -"<manvolnum>1</manvolnum></citerefentry> for details) it might be irritating " -"that authentication is still working even if the related X.509 certificate " -"on the Smartcard is already expired because neither <command>ssh</command> " -"nor <command>sshd</command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"Search for user public keys in SSSD domain " -"<replaceable>DOMAIN</replaceable>." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 -msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is " -"returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> " -"<manvolnum>8</manvolnum></citerefentry> for more information) " -"<filename>/var/lib/sss/pubconf/known_hosts</filename> and establishes the " -"connection to the host." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> " -"<manvolnum>1</manvolnum></citerefentry> can be configured to use " -"<command>sss_ssh_knownhostsproxy</command> for host key authentication by " -"using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> " -"<manvolnum>1</manvolnum></citerefentry> configuration: <placeholder " -"type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Search for host public keys in SSSD domain " -"<replaceable>DOMAIN</replaceable>." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 -msgid "Print the host ssh public keys for host <replaceable>HOST</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 -msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and " -"SIDs. No database is required in this case as the mapping is done by SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = " -"200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 -msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is " -"read-only the example includes <literal>backend = tdb</literal> as default." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"<command>sssctl</command> <arg " -"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg>" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND " -"--help</command>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 +#: sssd-systemtap.5.xml:412 msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"Start the SystemTap script (<command>stap " +"/usr/share/sssd/systemtap/<script_name>.stp</command>), then perform " +"an identity operation and the script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "Another reason is to provide efficient caching of local users and groups." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of " -"UID/GID 0 is not handled by SSSD. Such requests are passed to next NSS " -"module (usually files)." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page for details on the " -"configuration of an SSSD domain. But the purpose of the files provider is to " -"expose the same data as the UNIX files, just through the SSSD " -"interfaces. Therefore not all generic domain options are " -"supported. Likewise, some global options, such as overriding the shell in " -"the <quote>nss</quote> section for all domains has no effect on the files " -"domain unless explicitly specified per-domain. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#: sssd-ldap-attributes.5.xml:23 msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Refer to the <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page for full details about SSSD LDAP provider " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " -"</citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with " -"them. The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 +#: sssd-ldap-attributes.5.xml:97 msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the " +"<quote>ldap</quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at " -"<filename>/var/run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry>. Unlike other SSSD responders, it cannot be started by " -"adding the <quote>secrets</quote> string to the <quote>service</quote> " -"directive. The systemd socket unit is called " -"<quote>sssd-secrets.socket</quote> and the corresponding service file is " -"called <quote>sssd-secrets.service</quote>. In order for the service to be " -"socket-activated, make sure the socket is enabled and active and the service " -"is enabled: <placeholder type=\"programlisting\" id=\"0\"/> Please note your " -"distribution may already configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " -"addition, there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 -msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections " -"(e.g. <quote>[secrets/users/123]</quote> - see bottom of this manual page " -"for a full example using Custodia for a particular user) that define which " -"provider store the secrets for this particular user. The per-user " -"subsections should contain all options for that user's provider. Please note " -"that currently the global provider is always local, the proxy provider can " -"only be specified in a per-user section. The following providers are " -"supported: <placeholder type=\"variablelist\" id=\"0\"/>" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 sssd-ldap-attributes.5.xml:855 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (date of the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"This option specifies the maximum number of secrets that can be stored " -"per-UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (minimum password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (maximum password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the " -"<quote>secrets</quote> and the <quote>kcm</quote> hives, configure the " -"following: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> counterpart (account expiration " +"date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the " -"<quote>username</quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 -msgid "The value sssd-secrets would use for the <quote>auth_header_name</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 -msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Path to directory containing stored certificate authority " -"certificates. System default path is used if this option is not set." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in " -"<quote>capath</quote>." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to " -"<quote>application/octet-stream</quote>. Secrets stored with requests that " -"set the Content Type header to <quote>application/octet-stream</quote> are " -"base64-encoded when stored and decoded when retrieved, so it's not possible " -"to store a secret with one Content Type and retrieve with another. The " -"secret URI must begin with <filename>/secrets/</filename>." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP " +"schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>phone</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder " -"type=\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret " -"value. If a secret with that name already exists, the response is a 409 HTTP " -"error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>authorized_service</quote> in order " +"for the ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder " -"type=\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login " +"process. Therefore when using service-based access control, the " +"<quote>systemd-user</quote> service might need to be added to the list of " +"allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on " -"http://localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> " -"</citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 -msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 -msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry>, The credentials cache name must be only <quote>KCM:</quote> " -"without any template expansions. For example: <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path " -"<replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure " -"the Kerberos library, change its <quote>kcm_socket</quote> option which is " -"described in the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry>. Unlike other SSSD services, it cannot be started by adding " -"the <quote>kcm</quote> string to the <quote>service</quote> directive. " -"<placeholder type=\"programlisting\" id=\"0\"/> Please note your " -"distribution may already configure the units for you." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at " -"<quote>/var/lib/sss/secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever " -"use-case doesn't work for you. The KCM logs will be generated at " -"<filename>/var/log/sssd/sssd_kcm.log</filename>. It is recommended to " -"disable the debug logs when you no longer need the debugging to be enabled " -"as the sssd-kcm service can generate quite a large amount of debugging " -"information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the " -"sssd.conf file. Please note that because the KCM service is typically " -"socket-activated, it is enough to just restart the <quote>sssd-kcm</quote> " -"service after changing options in the <quote>kcm</quote> section of " -"sssd.conf: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " -"addition, there are some KCM-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 +msgid "The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -msgid "Default: 64" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -msgid "Default: 65536" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " -"</citerefentry>, <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " -"</citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in " -"/usr/share/systemtap/tapset/sssd.stp and " -"/usr/share/systemtap/tapset/sssd_functions.stp respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 sssd-systemtap.5.xml:131 -#, no-wrap -msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 +msgid "The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise " +"automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/sv.po b/src/man/po/sv.po index 4cfd87f94c3..edd640ae9f0 100644 --- a/src/man/po/sv.po +++ b/src/man/po/sv.po @@ -4,8 +4,8 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" -"PO-Revision-Date: 2019-08-27 08:49+0000\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" +"PO-Revision-Date: 2019-11-11 02:33+0000\n" "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n" "Language-Team: Swedish\n" "Language: sv\n" @@ -26,7 +26,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "SSSD manualsidor" @@ -72,7 +72,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "BESKRIVNING" @@ -142,7 +142,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -151,7 +151,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Filformat och konventioner" @@ -342,12 +342,12 @@ msgstr "" "aktiverat för SSSD-felsökningsloggning igoreras denna flagga." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Standard: true" @@ -366,19 +366,23 @@ msgstr "" "journald är aktiverat för SSSD-felsökningsloggning igoreras denna flagga." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Standard: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -404,8 +408,8 @@ msgstr "" "att efter tre missade hjärtslag kommer processen avsluta sig själv." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Standard: 10" @@ -420,7 +424,7 @@ msgid "The [sssd] section" msgstr "Sektionen [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Sektionsparametrar" @@ -481,12 +485,12 @@ msgstr "" "”systemctl enable sssd-@service@.socket\". </phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -495,7 +499,7 @@ msgstr "" "dataleverantörkrasch eller starta om innan de ger upp" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Standard: 3" @@ -521,7 +525,7 @@ msgstr "" "understrykningstecken." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (sträng)" @@ -546,12 +550,12 @@ msgstr "" "för mer information om dessa reguljära uttryck." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -562,32 +566,32 @@ msgstr "" "samman ett fullständigt kvalificerat namn från namn- och domänkomponenter." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "användarnamn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "domännamn som det anges i SSSD-konfigurationsfilen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." @@ -596,7 +600,7 @@ msgstr "" "både direkt konfigurerade eller hittade via IPA-förtroenden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -615,16 +619,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (boolean)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD övervakar tillståndet hos resolv.conf för att identifiera när den " "behöver uppdatera sin interna DNS-uppslagning. Som standard kommer vi " @@ -632,7 +655,7 @@ msgstr "" "resolv.conf var femte sekund om inotify inte kan användas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -643,7 +666,7 @@ msgstr "" "alternativ sättas till ”false”" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -652,7 +675,7 @@ msgstr "" "plattformar." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -661,12 +684,12 @@ msgstr "" "inte är tillgängligt. På dessa plattformar kommer pollning alltid användas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -675,7 +698,7 @@ msgstr "" "återuppspelning." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -685,7 +708,7 @@ msgstr "" "cachefilerna för återuppspelning." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -694,12 +717,12 @@ msgstr "" "(__LIBKRB5_DEFAULTS__ om inte konfigurerat)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "user (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -721,17 +744,17 @@ msgstr "" "respondenten.</phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "Standard: inte angivet, processer kommer köra som root" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -746,7 +769,7 @@ msgstr "" "in med bara sitt användarnamn utan att ange ett domännamn dessutom." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 #, fuzzy #| msgid "" #| "Please note that if this option is set all users from the primary domain " @@ -772,23 +795,23 @@ msgstr "" "till False." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Standard: inte satt" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "override_space (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -803,7 +826,7 @@ msgstr "" "hantera blanka, på grund av att det är standardfältsepearatorn i skalet." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -816,22 +839,22 @@ msgstr "" "allmänhet är resultatet av en uppslagning odefinierat." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "Default: not set (blanka kommer inte ersättas)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "certificate_verification (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "no_ocsp" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -842,57 +865,78 @@ msgstr "" "nåbara från klienten." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +#, fuzzy +#| msgid "no_ocsp" +msgid "soft_ocsp" +msgstr "no_ocsp" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Standard: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "no_verification" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." @@ -901,12 +945,12 @@ msgstr "" "testning." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "ocsp_default_responder=URL" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -917,7 +961,7 @@ msgstr "" "respondenten t.ex. http://example.com:80/ocsp." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." @@ -926,12 +970,12 @@ msgstr "" "ocsp_default_responder_signing_cert." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "ocsp_default_responder_signing_cert=NAMN" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -942,12 +986,12 @@ msgstr "" "i systemets NSS-databas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "Detta alternativ måste anges tillsammans med ocsp_default_responder." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." @@ -957,12 +1001,12 @@ msgstr "" "pam_cert_db_path." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "crl_file=/SÖKVÄG/TILL/CRL/FIL" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -975,7 +1019,7 @@ msgstr "" "(Certificate Revocation List, CRL) in i en NSS-databas." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -988,8 +1032,22 @@ msgstr "" "<refentrytitle>crl</refentrytitle> <manvolnum>1ssl</manvolnum> </" "citerefentry> för detaljer." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -1000,32 +1058,32 @@ msgstr "" "type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "Denna manualsida genererades för NSS-versionen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "Denna manualsida genererades för OpenSSL-versionen." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "Okända alternativ rapporteras men ignoreras." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "Standard: inte satt, d.v.s begränsa inte certifikatverifieringen" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "disable_netlink (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." @@ -1034,7 +1092,7 @@ msgstr "" "rutter, adresser, länkar och utlösa vissa åtgärder." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" @@ -1043,17 +1101,17 @@ msgstr "" "och kan avaktiveras genom att sätta detta alternativ till ”true”" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "Standard: false (netlink-förändringar detekteras)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "enable_files_domain (boolean)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." @@ -1062,12 +1120,12 @@ msgstr "" "<quote>id_provider=files</quote> före några explicit konfigurerade domäner." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "domain_resolution_order" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -1084,7 +1142,7 @@ msgstr "" "kommer slås upp i en slumpvis ordning för varje föräldradomän." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -1114,7 +1172,7 @@ msgstr "" "användarnamn kan överlappa mellan domäner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "Standard: inte satt" @@ -1137,12 +1195,12 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "TJÄNSTESEKTIONER" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1155,22 +1213,22 @@ msgstr "" "<quote>[nss]</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Allmänna alternativ för tjänstekonfiguration" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Dessa alternativ kan användas för att konfigurera alla tjänster." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1185,17 +1243,17 @@ msgstr "" "och den ”hårda” gränsen i limits.conf." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "Standard: 8192 (eller den ”hårda” gränsen i limits.conf)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1210,18 +1268,18 @@ msgstr "" "konfigureras kommer det att justeras till 10 sekunder." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Standard: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1232,12 +1290,12 @@ msgstr "" "Detta värde är i sekunder och beräknas enligt följande:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "offline_timeout + slumptillägg" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" @@ -1246,12 +1304,12 @@ msgstr "" "att koppla upp kalkyleras det nya intervallet om enligt följande:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "nytt_intervall = gammalt_intervall·2 + slumptillägg" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1262,12 +1320,12 @@ msgstr "" "större än en timma kommer det att tvingas tillbaka till en timma." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "responder_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1286,18 +1344,18 @@ msgstr "" "antingen uttags- eller D-Bus-aktiverade." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Standard: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "cache_first" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." @@ -1306,12 +1364,12 @@ msgstr "" "den frågar dataleverantörerna." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "NSS-konfigurationsalternativ" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1319,12 +1377,12 @@ msgstr "" "Switch (NSS)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1333,17 +1391,17 @@ msgstr "" "information om alla användare)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Standard: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1354,7 +1412,7 @@ msgstr "" "för domänen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1369,7 +1427,7 @@ msgstr "" "framtida begäranden kommer behöva blockera i väntan på en cacheuppdatering." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1382,17 +1440,17 @@ msgstr "" "(0 avaktiverar denna funktion)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Standard: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1403,17 +1461,17 @@ msgstr "" "bakänden tillfrågas igen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Standard: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "local_negative_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1424,17 +1482,17 @@ msgstr "" "in alternativet till 0 avaktiverar denna funktion." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "Standard: 14400 (4 timmar)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1448,7 +1506,7 @@ msgstr "" "användarhuvudnamn (UPN)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1461,17 +1519,17 @@ msgstr "" "kommer fortfarande ha medlemsanvändarna i den senare listade." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Standard: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1479,12 +1537,12 @@ msgstr "" "sätt då detta alternativ till false." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1493,7 +1551,7 @@ msgstr "" "anges av domänens dataleverantör." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1501,7 +1559,7 @@ msgstr "" "override_homedir." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1511,23 +1569,23 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "exempel: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "Standard: inte satt (ingen ersättning för ej angivna hemkataloger)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1538,30 +1596,30 @@ msgstr "" "sektionen [nss] eller per domän." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" "Standard: inte angivet (SSSD kommer använda värdet som hämtats från LDAP)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" "Begränsa användarskal till en av de listade värdena. Beräkningsordningen är:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "1. Om skalet finns i <quote>/etc/shells</quote> används det." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." @@ -1570,7 +1628,7 @@ msgstr "" "quote>, använd värdet på parametern shell_fallback." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." @@ -1579,12 +1637,12 @@ msgstr "" "shells</quote> används ett nologin-skal." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "Jokertecknet (*) kan användas för att tillåta godtyckligt skal." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1595,12 +1653,12 @@ msgstr "" "alla skal i allowed_shells skulle vara för mycket overhead." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "En tom sträng som skal skickas som den är till libc." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." @@ -1609,27 +1667,27 @@ msgstr "" "att en omstart av SSSD behövs ifall ett nytt skal installeras." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "Standard: inte satt. Användarens skal används automatiskt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "Ersätt alla instanser av dessa skal med shell_fallback" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" @@ -1637,17 +1695,17 @@ msgstr "" "maskinen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Standard: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." @@ -1657,7 +1715,7 @@ msgstr "" "per domän." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" @@ -1666,12 +1724,12 @@ msgstr "" "libc ersätter med något rimligt när nödvändigt, vanligen /bin/sh)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." @@ -1680,12 +1738,12 @@ msgstr "" "som giltiga." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." @@ -1695,7 +1753,7 @@ msgstr "" "minnet." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." @@ -1704,7 +1762,7 @@ msgstr "" "påverkan på SSSDs prestanda och skall bara användas för testning." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." @@ -1713,12 +1771,12 @@ msgstr "" "klientprogram inte använda den snabba cachen i minnet." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "user_attributes (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1735,7 +1793,7 @@ msgstr "" "citerefentry> för detaljer) men utan standardvärden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." @@ -1744,17 +1802,17 @@ msgstr "" "InfoPipe-altenativet om det inte är satt för NSS-respondenten." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "Standard: inte satt, gåtillbaka till InfoPipe-alternativet" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "pwfield (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." @@ -1763,12 +1821,12 @@ msgstr "" "returnera i fältet <quote>password</quote>." #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "Detta alternativ kan även sättas per domän." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" @@ -1777,12 +1835,12 @@ msgstr "" "(fildomänerna)" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "PAM-konfigurationsalternativ" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1791,12 +1849,12 @@ msgstr "" "Authentication Module (PAM)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1806,17 +1864,17 @@ msgstr "" "inloggningen)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Standard: 0 (ingen gräns)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1825,12 +1883,12 @@ msgstr "" "inloggningsförsök är tillåtna." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1839,7 +1897,7 @@ msgstr "" "har nåtts före ett nytt inloggningsförsök är möjligt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1850,17 +1908,17 @@ msgstr "" "autentisering kan aktivera autentisering utan uppkoppling igen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Standard: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1869,43 +1927,43 @@ msgstr "" "Ju högre tal desto fler meddelanden visas." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "För närvarande stödjs följande värden:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis>: visa inte några meddelanden" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis>: visa endast viktiga meddelanden" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis>: visa informationsmeddelanden" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" "<emphasis>3</emphasis>: visa alla meddelanden och felsökningsinformation" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Standard: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "pam_response_filter (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1918,7 +1976,7 @@ msgstr "" "användaren eller miljövariabler som skall sättas av pam_sss." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." @@ -1927,37 +1985,37 @@ msgstr "" "gör detta alternativ att man kan filtrera ut andra sorters svar dessutom." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "ENV" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "Skicka inte några miljövariabler till någon tjänst." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "ENV:varnamn" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "Skicka inte miljövariableln varnamn till någon tjänst." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "ENV:varnamn:tjänst" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "Skicka inte miljövariabeln varnamn till tjänst." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -1966,17 +2024,17 @@ msgstr "" "\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "Example: ENV:KRB5CCNAME:sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1987,7 +2045,7 @@ msgstr "" "till att autentisering sker med den senaste informationen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -2001,17 +2059,17 @@ msgstr "" "identitetsleverantören." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "Visa en varning N dagar före lösenordet går ut." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2021,7 +2079,7 @@ msgstr "" "lösenordet. Om denna information saknas kan sssd inte visa någon varning." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." @@ -2030,7 +2088,7 @@ msgstr "" "mottogs från bakändeserver kommer den automatiskt visas." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." @@ -2039,17 +2097,17 @@ msgstr "" "<emphasis>pwd_expiration_warning</emphasis> för en viss domän." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Standard: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "pam_trusted_users (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -2064,12 +2122,12 @@ msgstr "" "UID vid uppstart." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "Standard: alla användare betraktas som betrodda som standard" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." @@ -2078,12 +2136,12 @@ msgstr "" "inte är i listan pam_trusted_users." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "pam_public_domains (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." @@ -2092,20 +2150,20 @@ msgstr "" "betrodda användare." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" "Två speciella värden för alternativet pam_public_domains är definierade:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" "all (Ej betrodda användare tillåts komma åt alla domäner i PAM-respondenten.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" @@ -2114,19 +2172,19 @@ msgstr "" "respondenten.)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Standard: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "pam_account_expired_message (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." @@ -2135,7 +2193,7 @@ msgstr "" "standardmeddelandet ”åtkomst nekas”." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." @@ -2145,7 +2203,7 @@ msgstr "" "felsökningsinformation)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -2155,12 +2213,12 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "pam_account_locked_message (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." @@ -2169,7 +2227,7 @@ msgstr "" "standardmeddelandet ”åtkomst nekas”." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -2177,12 +2235,12 @@ msgid "" msgstr "pam_account_locked_message = Kontot är låst, kontakta kundtjänsten. " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "pam_cert_auth (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -2193,19 +2251,19 @@ msgstr "" "autentiseringsprocessen är detta alternativ avaktiverat som standard." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "Default: False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "pam_cert_db_path (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." @@ -2214,17 +2272,17 @@ msgstr "" "komma åt smartkortet." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "Standard:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "/etc/pki/nssdb (NSS-version, sökväg till en NSS-databas)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" @@ -2233,22 +2291,22 @@ msgstr "" "betrodda CA-certifikat i PEM-format)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "p11_child_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "Hur många sekunder pam_sss kommer vänta på p11_child att avsluta." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "pam_app_services (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" @@ -2257,12 +2315,12 @@ msgstr "" "<quote>application</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "pam_p11_allowed_services (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." @@ -2271,7 +2329,7 @@ msgstr "" "tillåtet att använda smarta kort." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2281,7 +2339,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2301,63 +2359,63 @@ msgstr "" "\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "Standard: standarduppsättningen av PAM-tjänstenamn innefattar:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "login" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "su" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "su-l" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "gdm-smartcard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "gdm-password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "kdm" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "sudo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "gnome-screensaver" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "p11_wait_for_card_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2367,12 +2425,12 @@ msgstr "" "p11_child_timeout PAM-respondenten skall vänta på att ett smartkort sätts in." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "p11_uri (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2389,7 +2447,7 @@ msgstr "" "användas för att säga till p11_child att använda en specifik läsare." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2399,7 +2457,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2409,7 +2467,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2422,12 +2480,12 @@ msgstr "" "verktyget ”p11tool” med t.ex. ”--list-all” visa även PKCS#11 URI:er." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "SUDO-konfigurationsalternativ" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2445,12 +2503,12 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." @@ -2459,12 +2517,12 @@ msgstr "" "tidsberoende sudoers-poster skall evalueras eller inte." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "sudo_threshold (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2479,22 +2537,22 @@ msgstr "" "gränsvärde gäller även IPA-sudo-kommandon och kommandugruppsökningar." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "AUTOFS-konfigurationsalternativ" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "Dessa alternativ kan användas för att konfigurera tjänsten autofs." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2505,22 +2563,22 @@ msgstr "" "finns) innan bakänden tillfrågas igen." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "SSH-konfigurationsalternativ" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "Dessa alternativ kan användas för att konfigurera tjänsten SSH." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." @@ -2529,12 +2587,12 @@ msgstr "" "till kontrollsummor eller inte." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." @@ -2543,17 +2601,17 @@ msgstr "" "att dess värdnycklar begärdes" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "Standard: 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "ssh_use_certificate_keys (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2567,12 +2625,43 @@ msgstr "" "manvolnum> </citerefentry> för detaljer." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "ldap_user_certificate (sträng)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set (spaces will not be replaced)" +msgid "Default: not set, all found rules are used" +msgstr "Default: not set (blanka kommer inte ersättas)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "ca_db (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." @@ -2581,12 +2670,12 @@ msgstr "" "validera användarcertifikat före publika ssh-nycklar härleds från dem." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "PAC-respondentskonfigurationsalternativ" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2604,7 +2693,7 @@ msgstr "" "beräknad kommer några av följande operationer att göras:" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2620,7 +2709,7 @@ msgstr "" "kan skrivas över med parametern default_shell." #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." @@ -2629,17 +2718,17 @@ msgstr "" "användaren läggas till i dessa grupper." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "Dessa alternativ kan användas för att konfigurera PAC-respondenten." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2650,12 +2739,12 @@ msgstr "" "uppstart." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "Standard: 0 (endast root-användaren tillåts komma åt PAC-respondenten)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2668,12 +2757,12 @@ msgstr "" "0 i listan av tillåtna UID:er." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "pac_lifetime (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." @@ -2682,12 +2771,12 @@ msgstr "" "datan användas för att avgöra gruppmedlemskap för en användare." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "Konfigurationsalternatvi för inspelning av sessioner" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2703,33 +2792,33 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" "Dessa alternativ kan användas för att konfigurera inspelning av sessioner." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "scope (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "”none”" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "Inga användare spelas in." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "”some”" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." @@ -2738,17 +2827,17 @@ msgstr "" "och <replaceable>groups</replaceable> spelas in." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "”all”" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "Alla användare spelas in." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -2757,17 +2846,17 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "Standard: ”none”" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "users (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2778,17 +2867,17 @@ msgstr "" "efter eventuellt utbyte av mellanslag, ändring av skiftläge, etc." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "Default: Tomt. Matchar inte några användare." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "groups (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2799,7 +2888,7 @@ msgstr "" "efter eventuellt utbyte av mellanslag, ändring av skiftläge, etc." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2810,22 +2899,22 @@ msgstr "" "användare måste hämtas och matchas mot grupperna användaren är en medlem i." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "Standard: Tom. Matchar inga grupper." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "DOMÄNSEKTIONER" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "domain_type (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2838,7 +2927,7 @@ msgstr "" "operativsystemets gränssnitt och verktyg." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." @@ -2847,7 +2936,7 @@ msgstr "" "<quote>application</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2860,7 +2949,7 @@ msgstr "" "respondenten." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." @@ -2869,7 +2958,7 @@ msgstr "" "<quote>id_provider=ldap</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." @@ -2878,17 +2967,17 @@ msgstr "" "<quote>Programdomäner</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "Standard: posix" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id,max_id (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2897,7 +2986,7 @@ msgstr "" "utanför dessa gränser ignoreras den." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2910,7 +2999,7 @@ msgstr "" "ligger i intervallet rapporteras som förväntat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." @@ -2919,17 +3008,17 @@ msgstr "" "när de returneras via namn eller ID." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Standard: 1 för min_id, 0 (ingen gräns) för max_id" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2942,22 +3031,22 @@ msgstr "" "Denna parameter kan ha ett av följande värden:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = Användare och grupper räknas upp" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = Inga uppräkningar för denna domän" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Standard: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." @@ -2966,7 +3055,7 @@ msgstr "" "grupposter från fjärrservern." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2989,7 +3078,7 @@ msgstr "" "med startas om av den interna vakthunden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -2998,7 +3087,7 @@ msgstr "" "användar- eller grupplistan returnera utan resultat tills den är färdig." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -3011,7 +3100,7 @@ msgstr "" "information, se manualsidorna för den specifika id-leverantören som används." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." @@ -3020,32 +3109,32 @@ msgstr "" "stora miljöer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "subdomain_enumerate (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "all" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "Alla upptäckta betrodda domäner kommer räknas upp" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "none" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "Inga upptäckta betrodda domäner kommer räknas upp" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -3058,12 +3147,12 @@ msgstr "" "bara för dessa betrodda domäner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -3072,7 +3161,7 @@ msgstr "" "bakänden igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -3089,17 +3178,17 @@ msgstr "" "redan har cachats." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Standard: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" @@ -3108,19 +3197,19 @@ msgstr "" "bakänden igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "Standard: entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" @@ -3129,12 +3218,12 @@ msgstr "" "bakänden igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" @@ -3143,12 +3232,12 @@ msgstr "" "frågar bakänden igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" @@ -3157,12 +3246,12 @@ msgstr "" "bakänden igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" @@ -3171,12 +3260,12 @@ msgstr "" "igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" @@ -3185,12 +3274,12 @@ msgstr "" "giltiga före den frågar bakänden igen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "entry_cache_ssh_host_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." @@ -3199,12 +3288,12 @@ msgstr "" "hur länge värdnyckeln skall cachas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." @@ -3213,7 +3302,7 @@ msgstr "" "i bakgrunden som kommer uppdatera alla utgångna eller nästan utgångna poster." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -3222,42 +3311,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 +#, fuzzy +#| msgid "" +#| "This option specifies the maximum allowed number of nested containers." msgid "This option is automatically inherited for all trusted domains." msgstr "" +"Detta alternativ specificerar det maximala antalet tillåtna nästlade " +"behållare." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "Du kan överväga att sätta detta värde till ¾ · entry_cache_timeout." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "Standard: 0 (avaktiverat)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "Bestämmer om användarkreditiv också cachas i den lokala LDB-cachen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "Användarkreditiv sparas i en SHA512-kontrollsumma, inte i klartext" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "cache_credentials_minimal_first_factor_length (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -3268,7 +3362,7 @@ msgstr "" "lösenord) måste ha för att sparas som en SHA512-kontrollsumma i cachen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." @@ -3278,17 +3372,17 @@ msgstr "" "attacker." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "Standard: 8" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -3301,17 +3395,17 @@ msgstr "" "offline_credentials_expiration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Standard: 0 (obegränsat)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -3323,17 +3417,17 @@ msgstr "" "Dessutom måste en autentiseringsleverantör ha konfigurerats för bakänden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "Standard: 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" @@ -3341,12 +3435,12 @@ msgstr "" "stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "<quote>proxy</quote>: Stöd en tidigare NSS-leverantör." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" @@ -3354,7 +3448,7 @@ msgstr "" "(FÖRÅLDRAT)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3365,7 +3459,7 @@ msgstr "" "information om hur lokala användare och grupper kan speglas in i SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3376,8 +3470,8 @@ msgstr "" "information om att konfigurera LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3390,8 +3484,8 @@ msgstr "" "konfigurera FreeIPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3402,12 +3496,12 @@ msgstr "" "citerefentry> för mer information om att konfigurera Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." @@ -3416,7 +3510,7 @@ msgstr "" "full_name_format) som användarens inloggningsnamn rapporterat till NSS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3430,7 +3524,7 @@ msgstr "" "command> skulle det." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3442,22 +3536,22 @@ msgstr "" "namn begärs." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "Standard: FALSE (TRUE om default_domain_suffix används)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (bool)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "Returnera inte gruppmedlemmar för gruppuppslagningar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3476,7 +3570,7 @@ msgstr "" "som om den vore tom." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3487,12 +3581,12 @@ msgstr "" "innehåller många medlemmar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3501,7 +3595,7 @@ msgstr "" "är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3512,7 +3606,7 @@ msgstr "" "citerefentry> för mer information om att konfigurera LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3523,7 +3617,7 @@ msgstr "" "citerefentry> för mer information om att konfigurera Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" @@ -3531,17 +3625,17 @@ msgstr "" "PAM-mål." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "<quote>local</quote>: SSSD:s interna leverantör för lokala användare." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "<quote>none</quote> avaktiverar explicit autentisering." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3550,12 +3644,12 @@ msgstr "" "autentiseringsbegäranden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3566,7 +3660,7 @@ msgstr "" "Interna specialleverantörer är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." @@ -3575,12 +3669,12 @@ msgstr "" "åtkomstleverantören för en lokal domän." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "<quote>deny</quote> neka alltid åtkomst." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3593,7 +3687,7 @@ msgstr "" "konfigurera åtkomstmodulen simple." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3604,24 +3698,24 @@ msgstr "" "citerefentry> för mer information om att konfigurera Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" "<quote>proxy</quote> för att skicka vidare åtkomstkontroll till någon annam " "PAM-modul." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Standard: <quote>permit</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3630,7 +3724,7 @@ msgstr "" "av lösenordsändring som stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3641,7 +3735,7 @@ msgstr "" "manvolnum> </citerefentry> för mer information om att konfigurera LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3652,7 +3746,7 @@ msgstr "" "citerefentry> för mer information om att konfigurera Kerberos." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" @@ -3660,12 +3754,12 @@ msgstr "" "annat PAM-mål." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "<quote>none</quote> tillåter uttryckligen inte lösenordsändringar.." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3674,18 +3768,18 @@ msgstr "" "hantera begäranden om ändring av lösenord." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" "SUDO-leverantören som används för domänen. SUDO-leverantörer som stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3696,7 +3790,7 @@ msgstr "" "citerefentry> för mer information om att konfigurera LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." @@ -3705,7 +3799,7 @@ msgstr "" "standandardsinställningar för IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." @@ -3714,18 +3808,18 @@ msgstr "" "standandardsinställningar för AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "<quote>none</quote> avaktiverar explicit SUDO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "Standard: värdet på <quote>id_provider</quote> används om det är satt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3742,7 +3836,7 @@ msgstr "" "<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3755,12 +3849,12 @@ msgstr "" "relaterad aktivitet i SSSD om du inte vill använda sudo med SSSD alls." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3771,7 +3865,7 @@ msgstr "" "åtkomstleverantören avslutar. Selinux-leverantörer som stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3783,14 +3877,14 @@ msgstr "" "konfigurera IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" "<quote>none</quote> tillåter uttryckligen inte att hämta selinux-" "inställningar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." @@ -3799,12 +3893,12 @@ msgstr "" "begäranden om inläsning av selinux." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" @@ -3813,7 +3907,7 @@ msgstr "" "alltid vara samma som id_provider. Underdomänleverantörer som stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3825,7 +3919,7 @@ msgstr "" "konfigurera IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3838,17 +3932,17 @@ msgstr "" "konfigurera AD-leverantören." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "<quote>none</quote> tillåter uttryckligen inte att hämta underdomäner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "session_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3860,14 +3954,14 @@ msgstr "" "med IPA. Sessionsleverantörer som stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" "<quote>ipa</quote> för att utföra uppgifter relaterade till " "användarsessioner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" @@ -3875,7 +3969,7 @@ msgstr "" "användarsessioner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." @@ -3884,7 +3978,7 @@ msgstr "" "sessionsrelaterade uppgifter." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." @@ -3894,12 +3988,12 @@ msgstr "" "användaren." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" @@ -3907,7 +4001,7 @@ msgstr "" "är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3918,7 +4012,7 @@ msgstr "" "citerefentry> för mer information om att konfigurera LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3929,7 +4023,7 @@ msgstr "" "manvolnum> </citerefentry> för mer information om att konfigurera IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3941,17 +4035,17 @@ msgstr "" "leverantören." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "<quote>none</quote> avaktiverar explicit autofs." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" @@ -3960,7 +4054,7 @@ msgstr "" "leverantörer som stödjs är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3971,12 +4065,12 @@ msgstr "" "manvolnum> </citerefentry> för mer information om att konfigurera IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "<quote>none</quote> avaktiverar explicit värd-id:n." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3991,7 +4085,7 @@ msgstr "" "(NetBIOS) namnet på domänen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -4004,22 +4098,22 @@ msgstr "" "användarnamn:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "användarnamn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "användarnamn@domän.namn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "domån\\användarnamn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." @@ -4028,7 +4122,7 @@ msgstr "" "tredje för att tillåta enkel integration av användare från Windows-domäner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -4039,7 +4133,7 @@ msgstr "" "quote>, sedan är domänen allting efter det”" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -4054,17 +4148,17 @@ msgstr "" "P<name>.+)@(?P<domain>[^@]+$))</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Standard: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -4073,42 +4167,42 @@ msgstr "" "uppslagningar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Värden som stödjs:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "ipv4_first: Försök slå up IPv4-adresser, om det misslyckas, prova IPv6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "ipv4_only: Försök endast slå upp värdnamn som IPv4-adresser." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "ipv6_first: Försök slå up IPv6-adresser, om det misslyckas, prova IPv4" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "ipv6_only: Försök endast slå upp värdnamn som IPv6-adresser." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Standard: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -4120,7 +4214,7 @@ msgstr "" "nås kommer domänen fortsätta att fungera i frånkopplat läge." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." @@ -4128,18 +4222,18 @@ msgstr "" "Se avsnittet <quote>RESERVER</quote> för mer information om tjänstevalet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Standard: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -4148,52 +4242,52 @@ msgstr "" "fråga om tjänsteupptäckt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "Standard: använd domändelen av maskinens värdnamn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "Ersätt det primära GID-värdet med det angivna." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "case_sensitive (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "True" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "Skiftlägeskänsligt. Detta värde är inte giltigt för AD-leverantörer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "False" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "Skiftlägesokänsligt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "Preserving" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -4204,7 +4298,7 @@ msgstr "" "tjänster även protokollnamn) fortfarande skiftas ner i utdata." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -4217,17 +4311,17 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "Standard: True (False för AD-leverantören)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "subdomain_inherit (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -4238,27 +4332,27 @@ msgstr "" "följande alternativ ärvas:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "ignore_group_members" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "ldap_purge_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "ldap_user_principal" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" @@ -4267,7 +4361,7 @@ msgstr "" "ldap_krb5_keytab sätts särskilt)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -4277,33 +4371,33 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Exempel: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" "Observera: detta alternativ fungerar endast med leverantörerna IPA och AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "platt (NetBIOS) namn på en underdomän." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -4318,36 +4412,36 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" "Värdet kan åsidosättas av alternativet <emphasis>override_homedir</emphasis>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "Standard: <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" "Diverse taggar lagrade av ralmd-konfigurationstjänsten för denna domän." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "cached_auth_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -4360,7 +4454,7 @@ msgstr "" "uppkopplad autentisering." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." @@ -4369,12 +4463,12 @@ msgstr "" "det inte möjligt att ange olika värden för varje betrodd domän." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "Specialvärdet 0 betyder att denna funktion är avaktiverad." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -4385,17 +4479,17 @@ msgstr "" "<quote>initgroups.</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "auto_private_groups (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "true" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." @@ -4404,7 +4498,7 @@ msgstr "" "GID-numret ignoreras i detta läge." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -4417,12 +4511,12 @@ msgstr "" "framtvingar unika nummer över hela ID-rymden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "false" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." @@ -4431,12 +4525,12 @@ msgstr "" "till ett gruppobjekt i LDAP-databasen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "hybrid" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 #, fuzzy #| msgid "" #| "A primary group is autogenerated for user entries whose UID and GID " @@ -4458,7 +4552,7 @@ msgstr "" "upp till det gruppobjektet. " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." @@ -4467,7 +4561,7 @@ msgstr "" "kan GID:t helt enkelt inte slås upp." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -4478,7 +4572,7 @@ msgstr "" "befintliga användarnas privata grupper." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -4487,7 +4581,7 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." @@ -4497,7 +4591,7 @@ msgstr "" "översättning." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -4507,7 +4601,7 @@ msgstr "" "auto_private_groups = false\n" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -4519,7 +4613,7 @@ msgstr "" "auto_private_groups = false\n" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -4533,7 +4627,7 @@ msgstr "" "\"1\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -4544,17 +4638,17 @@ msgstr "" "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "Proxymålet PAM är en proxy för." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -4563,12 +4657,12 @@ msgstr "" "eller skapa en ny och lägga till tjänstenamnet här." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -4579,12 +4673,12 @@ msgstr "" "exempel _nss_files_getpwent." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4597,12 +4691,12 @@ msgstr "" "få SSSD att utföra ID-uppslagningen från cachen av prestandaskäl" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "proxy_max_children (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4614,7 +4708,7 @@ msgstr "" "begäranden skulle köas upp." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4623,12 +4717,12 @@ msgstr "" "\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "Programdomäner" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4657,7 +4751,7 @@ msgstr "" "traditionell SSSD-domän." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4668,17 +4762,17 @@ msgstr "" "programdomänen och dess POSIX-syskondomän sätts korrekt." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "Programdomänparametrar" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "inherit_from (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4691,7 +4785,7 @@ msgstr "" "quote>domänens inställningar." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4706,7 +4800,7 @@ msgstr "" "attributet telefon nåbart via D-Bus-gränssnittet." #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4740,12 +4834,12 @@ msgstr "" "ldap_user_extra_attrs = telefon:telephoneNumber\n" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "Den lokala domänsektionen" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4756,29 +4850,29 @@ msgstr "" "<replaceable>id_provider=local</replaceable>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" "Standardskalet för användare som skapas med SSSD:s verktyg för " "användarrymden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Standard: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4787,17 +4881,17 @@ msgstr "" "replaceable> och använder det som hemkatalogen." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Standard: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." @@ -4806,17 +4900,17 @@ msgstr "" "åsidosättas på kommandoraden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Standard: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (bool)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." @@ -4825,12 +4919,12 @@ msgstr "" "användare. Kan åsidosättas på kommandoraden." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (heltal)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4841,17 +4935,17 @@ msgstr "" "på en nyskapad hemkatalog." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Standard: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4864,17 +4958,17 @@ msgstr "" "citerefentry>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Standard: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4885,17 +4979,17 @@ msgstr "" "ett standardvärde." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Standard: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4906,17 +5000,17 @@ msgstr "" "Ingen hänsyn tas till returkoden från kommandot." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Standard: Inget, inget kommando körs" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "SEKTIONEN BETRODDA DOMÄNER" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4933,57 +5027,57 @@ msgstr "" "alternativ i sektionen för betrodda domäner är:" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "ldap_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "ldap_user_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "ldap_group_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "ldap_netgroup_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "ldap_service_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "ldap_sasl_mech," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "ad_server," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "ad_backup_server," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "ad_site," #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "use_fully_qualified_names" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." @@ -4992,12 +5086,12 @@ msgstr "" "manualsidan." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "CERTIFIKATSMAPPNINGSSEKTION" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -5019,7 +5113,7 @@ msgstr "" "när lokala tjänster använder PAM för autentisering." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -5031,7 +5125,7 @@ msgstr "" "detaljer)." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -5044,12 +5138,12 @@ msgstr "" "replaceable>]</quote>. I denna sektion är följande alternativ tillåtna:" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "matchrule (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." @@ -5058,7 +5152,7 @@ msgstr "" "alla andra ignoreras." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" @@ -5067,17 +5161,17 @@ msgstr "" "Extended Key Usage <quote>clientAuth</quote>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "maprule (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "Definierar hur användaren hittas för ett givet certifikat." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." @@ -5086,7 +5180,7 @@ msgstr "" "<quote>ldap</quote>, <quote>AD</quote> eller <quote>ipa</quote>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." @@ -5095,12 +5189,12 @@ msgstr "" "användare med samma namn." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "domains (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -5113,17 +5207,17 @@ msgstr "" "lägga till regeln till underdomäner också." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "Standard: den konfigurerade domänen i sssd.conf" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "priority (heltal)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -5134,12 +5228,12 @@ msgstr "" "prioriteten medans <quote>4294967295</quote> är den lägsta." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "Standard: den lägsta prioriteten" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" @@ -5149,7 +5243,7 @@ msgstr "" "speciella egenskaper:" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" @@ -5158,7 +5252,7 @@ msgstr "" "användaren" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -5171,17 +5265,17 @@ msgstr "" "short_name})</quote>" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "alternativet <quote>domains</quote> ignoreras" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "SEKTIONEN FÖR FRÅGEKONFIGURATION" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -5196,7 +5290,7 @@ msgstr "" "tillämpliga kreditiv." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 #, fuzzy #| msgid "" #| "With the growing number of authentication methods and the possibility " @@ -5215,22 +5309,22 @@ msgstr "" "användarfall. Följande alternativ bör ge en bättre flexibilitet här." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "[prompting/password]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "password_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "för att ändra strängen i lösenordsfrågan" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -5239,37 +5333,37 @@ msgstr "" "type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "[prompting/2fa]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "first_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "för att ändra strängen som frågar efter den första faktorn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "second_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "för att ändra strängen som frågar efter den andra faktorn" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "single_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 #, fuzzy #| msgid "" #| "boolean value, if True there will be only a single prompt using the value " @@ -5285,7 +5379,7 @@ msgstr "" "sträng" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -5294,7 +5388,7 @@ msgstr "" "alternativen: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 #, fuzzy #| msgid "" #| "Each supported authentication method has it's own configuration sub-" @@ -5312,7 +5406,7 @@ msgstr "" ">" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 #, fuzzy #| msgid "" #| "It is possible to add a sub-section for specific PAM services like e.g. " @@ -5328,12 +5422,12 @@ msgstr "" "enskild för denna tjänst." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "EXEMPEL" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -5387,7 +5481,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -5399,7 +5493,7 @@ msgstr "" "domäner för fler detaljer. <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -5409,7 +5503,7 @@ msgstr "" "use_fully_qualified_names = false\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -5425,7 +5519,7 @@ msgstr "" "\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -5447,7 +5541,7 @@ msgstr "" "matchrule = <ISSUER>^CN=My-CA,DC=MIN,DC=DOMÄN$<SUBJECT>^CN=User.Name,DC=MIN,DC=DOMÄN$\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -5523,12 +5617,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "KONFIGURATIONSALTERNATIV" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -5543,17 +5637,17 @@ msgstr "" "<quote>TJÄNSTEUPPTÄCKT</quote>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "Formatet på URI:n måste stämma med formatet som definieras i RFC 2732:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<värd>[:port]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" @@ -5561,17 +5655,17 @@ msgstr "" "hakparenteser []" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "exempel: ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -5584,29 +5678,29 @@ msgstr "" "reserver och serverredundans." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "För att aktivera tjänsteuppslagning måste ldap_chpass_dns_service_name vara " "satt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Standard: tomt, d.v.s. ldap_uri används." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "Standard bas-DN att använda för att utföra LDAP-användaroperationer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" @@ -5615,17 +5709,17 @@ msgstr "" "syntaxen:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "sökbas[?räckvidd?[filter][?sökbas?räckvidd?[filter]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "Räckvidden kan vara en av ”base”, ”onelevel” eller ”subtree”." #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" @@ -5633,14 +5727,14 @@ msgstr "" "Filtret måste vara ett korrekt LDAP-sökfilter som specificerat i http://www." "ietf.org/rfc/rfc2254.txt" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Exempel:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -5649,7 +5743,7 @@ msgstr "" "ldap_search_base = dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -5658,7 +5752,7 @@ msgstr "" "(host=thishost)?dc=example.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -5670,7 +5764,7 @@ msgstr "" "sökbaser). Detta kommer medföra oförutsägbart beteende på klientmaskinerna." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -5687,12 +5781,12 @@ msgstr "" "stödjs inte." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -5703,32 +5797,32 @@ msgstr "" "Sättet som en del attribut hanteras kan också skilja." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "Fyra schematyper stödjs för närvarande:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -5745,37 +5839,37 @@ msgstr "" "värden." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Standard: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "ldap_pwmodify_mode (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "Ange operationen som används för att ändra användarens lösenord." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "Två lägen stödjs för närvarande:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "exop - Password Modify Extended Operation (RFC 3062)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "ldap_modify - Direkt ändring av userPassword (rekommenderas inte)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5788,57 +5882,57 @@ msgstr "" "måste användaren a skrivrätt på attributet userPassword." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "Standard: exop" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "Standard bindning-DN att använda för att utföra LDAP-operationer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "Typen på autentiseringstecknet hos standardbindnings-DN." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "De två mekanismerna som stödjs för närvarande är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Standard: password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5847,12502 +5941,13533 @@ msgstr "" "stödjs för närvarande." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "Objektklassen hos en användarpost i LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Standard: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Några katalogservrar, till exempel Active Directory, kan leverera delen rike " +"av UPN:en i gemener, vilket kan få autentiseringen att misslyckas. Sätt " +"detta alternativ till ett värde skilt från noll ifall du vill använda ett " +"rike i versaler." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "LDAP-attributet som motsvarar användarens inloggningsnamn." +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "Standard: uid (rfc2307, rfc2307bis och IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Anger hur många sekunder SSSD måste vänta före den uppdaterar sin cache av " +"uppräknade poster." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (sträng)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." -msgstr "LDAP-attributet som motsvarar användarens id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Bestäm hur ofta cachen skall kontrolleras för inaktiva poster (såsom grupper " +"utan medlemmar och användare som aldrig har loggat in) och ta bort dem för " +"att spara utrymme." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "Standard: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" +"Att sätta detta alternativ till noll kommer avaktivera rensningsoperationen " +"för cachen. Observera att om uppräkning är aktiverat krävs rensningsjobbet " +"för att upptäcka poster som tas bort från servern och inte kan avaktiveras. " +"Som standard kör rensningsjobbet var 3:e timma när uppräkning är aktiverat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." -msgstr "LDAP-attributet som motsvarar användarens primära grupp-id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "Standard: gidNumber" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" -msgstr "ldap_user_primary_group (sträng)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"Om ldap_schema är satt till ett schemaformat som stödjer nästade grupper (t." +"ex. RFC2307bis), då styr detta alternativ hur många nivåer av nästning SSSD " +"kommer följa. Detta alternativ har ingen effekt på schemat RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" -"Active Directorys primära gruppattribut för ID-mappning. Observera att " -"detta attribut skall bara sättas manuellt om du kör <quote>ldap</quote>-" -"leverantören med ID-mappning." +"Obs: detta alternativ anger den garanterade nivån av nästade grupper som " +"skall bearbetas för en godtycklig uppslagning. Dock <emphasis>kan</" +"emphasis> nästade grupper utöver denna gräns returneras om tidigare " +"uppslagningar redan har slagit upp de djupare nästningsnivåerna. Följande " +"uppslagningar för andra grupper kan också utöka resultatmängden för den " +"ursprungliga uppslagningen om den slås upp igen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" -msgstr "Standard: ej satt (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" +"Om ldap_group_nesting_level sätts till 0 bearbetas inga nästade grupper " +"alls. Dock krävs det dessutom att användningen av Token-Groups avaktiveras " +"vid anslutning till Active-Directory Server 2008 och senare vid användning " +"av <quote>id_provider=ad</quote> genom att sätta ldap_use_togengroups till " +"false för att begränsa gruppnästning." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (sträng)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Standard: 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "LDAP-attributet som motsvarar användarens gecos-fält." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" +"Detta alternativ aktiverar eller avaktiverar användningen av attributet " +"Token-Groups när initgroup utförs för användare från Active Directory Server " +"2008 och senare." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "Standard: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." +msgstr "Standard: true för AD och IPA annars false." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (sträng)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "ldap_host_search_base (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." -msgstr "LDAP-attributet som innehåller namnet på användarens hemkatalog." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." +msgstr "Frivillig. Använd den givna strängen som en sökbas för värdobjekt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" +"Se <quote>ldap_search_base</quote> för information om konfiguration av " +"multipla sökbaser." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." -msgstr "LDAP-attributet som innehåller sökvägen till användarens standardskal." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Standard: värdet på <emphasis>ldap_search_base</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Standard: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "ldap_user_uuid (sträng)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." -msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-användarobjekt." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" +"Anger tiden (i sekunder) som ldap-sökningar tillåts köra före de annuleras " +"och cachade resultat returneras (och går in i frånkopplat läge)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" -"Standard: inte satt i det allmänna fallet, objectGUID för AD och ipaUniqueID " -"för IPA" +"Obs: detta alternativ kan komma att ändras i framtida versioner av SSSD. " +"Det kommer sannolikt ersättas vid någon tidpunkt med en serie tidsgränser " +"för specifika uppslagningstyper." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (sträng)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" -"LDAP-attributet som innehåller objectSID för ett LDAP-användarobjekt. Detta " -"är normalt bara nödvändigt för Active Directory-servrar." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." -msgstr "Standard: objectSid för Active Directory, inte satt för andra servrar." +"Anger tiden (i sekunder) som ldap-sökningar för användar- och " +"gruppuppräkningar tillåts köra före de annuleras och cachade resultat " +"returneras (och går in i frånkopplat läge)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (sträng)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" -"LDAP-attributet som innehåller tidsstämpeln för den senaste ändringen av " -"föräldraobjektet." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Standard: modifyTimestamp" +"Anger tidsgränsen (i sekunder) efter vilken <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> som följer efter en <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returnerar om inget händer." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (sträng)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" -"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " -"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (tidpunkt för senaste lösenordsändring)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Standard: shadowLastChange" +"Anger en tid (i sekunder) efter vilken anrop till synkrona LDAP API:er " +"kommer avbrytas om det inte kommer något svar. Styr även tidsgränsen vid " +"kommunikation med KDC:n i fallet SASL-bindningar, tidsgränsen för en LDAP-" +"bindningsoperation, utökad operation för lösenordsändring och StartTLS-" +"operationen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (sträng)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " -"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (minsta lösenordsålder)." +"Anger en tidsgräns (i sekunder) som en förbindelse med en LDAP-server kommer " +"underhållas. Efter den tiden kommer förbindelsen återetableras. Om den " +"används parallellt md SASL/GSSAPI kommer den tidigare av de två värdena " +"(detta värde eller TGT-livslängden) användas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Standard: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "Standard: 900 (15 minuter)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (sträng)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " -"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (största lösenordsålder)." +"Ange antalet poster som skall hämtas från LDAP i en enskild begäran. Några " +"LDAP-servrar framtvingar en maximal gräns per begäran." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Standard: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Standard: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (sträng)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " -"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (varningsperiod för lösenord)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Standard: shadowWarning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (sträng)" +"Avaktivera flödesstyrningen (paging) av LDAP. Detta alternativ bör användas " +"om LDAP-servern rapporterar att den stödjer LDAP-flödesstyrning i sin " +"RootDSE men det inte är aktiverat eller inte fungerar som det skall." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " -"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (inaktivitetsperiod för lösenord)." +"Exempel: OpenLDAP-servrar med flödesstyrningsmodulen installerad på servern " +"men inte aktiverad kommer rapportera det i RootDSE:n men inte kunna använda " +"den." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Standard: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Exempel: 389 DS har ett fel där den endast kan stödja en flödesstyrning åt " +"gången på en enskild förbindelse. På aktiva klienter kan detta resultera i " +"att några begäranden nekas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (sträng)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." -msgstr "" -"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " -"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (tid då kontot går ut)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." +msgstr "Avaktivera Active Directory intervallhämtning." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Standard: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"Active Directory begränsar antalet medlemmar som kan hämtas i en enskild " +"uppslagning med policyn MaxValRange (vilket som standard är 1500 " +"medlemmar). Om en grupp innehåller fler medlemmar skulle svaret innehålla " +"en AD-specifik intervallutökning. Detta alternativ avaktiverar tolkning av " +"intervallutökningar, därför kommer stora grupper förefalla inte ha några " +"medlemmar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (sträng)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"När ldap_pwd_policy=mit_kerberos används innehåller denna parameter namnet " -"på ett LDAP-attribut som lagrar dag och tid för senaste lösenordsändring i " -"kerberos." +"Vid kommunikation med en LDAP-server med SASL, ange den minsta " +"säkerhetsnivån som är nödvändig för att etablera förbindelsen. Värdet på " +"detta alternativ är definierat av OpenLDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Standard: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "Standard: använd systemstandard (vanligen angivet i ldap.conf)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (sträng)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"När ldap_pwd_policy=mit_kerberos används innehåller denna parameter namnet " -"på ett LDAP-attribut som lagrar dag och tid när det nuvarande låsenordet går " -"ut." +"Ange antalet gruppmedlemmar som måste saknas i den interna cachen för att " +"orsaka en derefereringsuppslagning. Om färre medlemmar saknas slås de up " +"individuellt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Standard: krbPasswordExpiration" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (sträng)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" +"Du kan slå av derefereringsuppslagningar helt genom att sätta värdet till " +"0. Observera att det finns några kodvägar i SSSD, som IPA HBAC-" +"leverantören, som endast är implementerade med derefereringsanropet, så att " +"även med dereferens uttryckligen avaktiverat kommer dessa delar åndå använda " +"dereferenser om servern stödjer det och annonserar derefereringsstyrning i " +"rootDSE-objektet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" -"När ldap_account_expire_policy=ad används innehåller denna parameter namnet " -"på ett LDAP-attribut som lagrar tidpunkten när kontot går ut." +"En derefereringsuppslagning är ett sätt att hämta alla gruppmedlemmar i ett " +"enda LDAP-anrop. Olika LDAP-servrar kan implementera olika " +"derefereringsmetoder. De servrar som stödjs för närvarande är 389(RHDS, " +"OpenLDAP och Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "Standard: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Obs:</emphasis> om någon av sökbaserna anger ett sökfilter, då " +"kommer prestandaförbättringen med derefereringsuppslagningar avaktiveras " +"oavsett denna inställning." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (sträng)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" -"När ldap_account_expire_policy=ad används innehåller denna parameter namnet " -"på ett LDAP-attribut som lagrar användarkontots styrbitfält." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "Standard: userAccountControl" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (sträng)" +"Anger vilka kontroller som utförs av servercertifikat i en TLS-session, om " +"några. Det kan anges som ett av följande värden:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:647 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" -"När ldap_account_expire_policy=rhds eller likvärdigt används avgör denna " -"parameter om åtkomst skall tillåtas eller inte." +"<emphasis>never</emphasis> = Klienten kommer inte begära eller kontrollera " +"några servercertifikat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "Standard: nsAccountLock" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (sträng)" +#: sssd-ldap.5.xml:651 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = Servercertifikatet begärs. Om inget certifikat " +"tillhandahålls fortsätter sessionen normalt. Om ett felaktigt certifikat " +"tillhandahålls kommer det ignoreras och sessionen fortsätta normalt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:658 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" -"När ldap_account_expire_policy=nds används avgör detta attribut om åtkomst " -"skall tillåtas eller inte." +"<emphasis>try</emphasis> = Servercertifikatet begärs. Om inget certifikat " +"tillhandahålls fortsätter sessionen normalt. Om ett felaktigt certifikat " +"tillhandahålls avslutas sessionen omedelbart." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "Standard: loginDisabled" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." -msgstr "" -"När ldap_account_expire_policy=nds används avgör detta attribut till vilket " -"datum åtkomst tillåts." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" -"När ldap_account_expire_policy=nds används avgör detta attribut vilka timmar " -"på dagen i en vecka åtkomst tillåts." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "Standard: loginAllowedTimeMap" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (sträng)" +"<emphasis>demand</emphasis> = Servercertifikatet begärs. Om inget " +"certifikat tillhandahålls eller ett felaktigt certifikat tillhandahålls " +"avslutas sessionen omedelbart." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 -msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" -"LDAP-attributet som innehåller användarens användarhuvudmansnamn i Kerberos " -"(UPN)." +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = Samma som <quote>demand</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Standard: krbPrincipalName" +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Standard: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "ldap_user_extra_attrs (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." -msgstr "" -"Kommaseparerad lista av LDAP-attribut som SSSD skall hämta tillsammans med " -"den vanliga uppsättningen av användarattribut." +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:683 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" -"Listan kan antingen innehålla endast LDAP-attributnamn, eller " -"kolonseparerade tupler av SSSD-cacheattribut och LDAP-attributnamn. Ifall " -"endast LDAP-attributnamn anges sparas attributet i cachen ordagrant. Att " -"använda ett anpassat SSSD-attributnamn kan vara nödvändigt i miljöer som " -"konfigurerar flera SSSD-domäner med olika LDAP-scheman." +"Anger filen som innehåller certifikat för alla Certifikatauktoriteterna som " +"<command>sssd</command> kommer godkänna." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" -"Observera att flera attributnamn är reserverade av SSSD, speciellt " -"attributet <quote>name</quote>. SSSD rapporterar ett fel om något av de " -"reserverade attributnamnen används som ett extra attributnamn." +"Standard: använd standardvärden för OpenLDAP, typiskt i <filename>/etc/" +"openldap/ldap.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:698 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" -"Spara attributet <quote>telephoneNumber</quote> från LDAP som " -"<quote>telephoneNumber</quote> i cachen." +"Anger sökvägen till en katalog som innehåller certifikat för " +"Certifikatauktoriteter i individuella filer. Typiskt måste filnamnen vara " +"konstrollsummor av certifikaten följda av ”.0”. Om det är tillgängligt kan " +"<command>cacertdir_rehash</command> användas för att skapa de korrekta " +"namnen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" -msgstr "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." -msgstr "" -"Spara attributet <quote>telephoneNumber</quote> från LDAP som <quote>phone</" -"quote> i cachen." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "Anger filen som innehåller certifikatet för klientens nyckel." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." -msgstr "LDAP-attributet som innehåller användarens publika SSH-nycklar." +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" -msgstr "Standard: sshPublicKey" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "Anger filen som innehåller klientens nyckel." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:741 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -"Några katalogservrar, till exempel Active Directory, kan leverera delen rike " -"av UPN:en i gemener, vilket kan få autentiseringen att misslyckas. Sätt " -"detta alternativ till ett värde skilt från noll ifall du vill använda ett " -"rike i versaler." +"Anger acceptabla chiffersviter. Typiskt är detta en kolonseparerad lista. " +"Se <citerefentry><refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> för formatet." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (heltal)" +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:757 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" -"Anger hur många sekunder SSSD måste vänta före den uppdaterar sin cache av " -"uppräknade poster." +"Anger att id-leverantörsförbindelsen också måste använda <systemitem class=" +"\"protocol\">tls</systemitem> för att skydda kanalen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (heltal)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:770 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" -"Bestäm hur ofta cachen skall kontrolleras för inaktiva poster (såsom grupper " -"utan medlemmar och användare som aldrig har loggat in) och ta bort dem för " -"att spara utrymme." +"Anger att SSSD skall försöka översätta användar- och grupp-ID:n från " +"attributen ldap_user_objectsid och ldap_group_objectsid istället för att " +"förlita sig på ldap_user_uid_number och ldap_group_gid_number." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" -"Att sätta detta alternativ till noll kommer avaktivera rensningsoperationen " -"för cachen. Observera att om uppräkning är aktiverat krävs rensningsjobbet " -"för att upptäcka poster som tas bort från servern och inte kan avaktiveras. " -"Som standard kör rensningsjobbet var 3:e timma när uppräkning är aktiverat." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "LDAP-attributet som motsvarar användarens fullständiga namn." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Standard: cn" +"För närvarande stödjer denna funktion endast Active Direcotory objectSID" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (sträng)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "ldap_min_id, ldap_max_id (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." -msgstr "LDAP-attributet som räknar upp användarens gruppmedlemskap." +#: sssd-ldap.5.xml:789 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"I kontrast mot den SID-baserade ID-översättningen som används om " +"ldap_id_mapping är satt till sant är det tillåtna ID-intervallet för " +"ldap_user_uid_number och ldap_group_gid_number obegränsat. I en uppsättning " +"med underdomäner/betrodda domäner kan detta leda till ID-kollisioner. För " +"att undvika kollisioner kan ldap_min_id och ldap_max_id sättas till att " +"begränsa det tillåtna intervallet för ID:na som läses direkt från servern. " +"Underdomäner kan sedan välja andra intervall för att översätta ID:n." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "Standard: memberOf" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" +msgstr "Standard: inte satt (båda alternativen är satta till 0)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (sträng)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:810 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" -"Om access_provider=ldap och ldap_access_order=authorized_service kommer SSSD " -"använda förekomsten av attributet authorizedService i användarens LDAP-post " -"för att avgöra åtkomstpriviligier." +"Ange SASL-mekanismen att använda. För närvarande testas och stödjs endast " +"GSSAPI och GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:814 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Ett explicit nekande (!svc) avgörs först. Därefter söker SSSD efter " -"explicit tillåtelse (svc) och slutligen efter allow_all (*)." +"Om bakänden stödjer underdomäner ärvs automatiskt värdet av ldap_sasl_mech " +"till underdomänerna. Om ett annat värde behövs för en underdomän kan det " +"skrivas över genom att sätta ldap_sasl_mech för denna underdomän explicit. " +"Se avsnittet SEKTIONEN BETRODDA DOMÄNER i <citerefentry><refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> för detaljer." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" -"emphasis> innehållla <quote>authorized_service</quote> för att alternativet " -"ldap_user_authorized_service skall fungera." +"värdnamn@RIKE\n" +"netbiosnamn$@RIKE\n" +"host/värdnamn@RIKE\n" +"*$@RIKE\n" +"host/*@RIKE\n" +"host/*\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:833 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" +"Ange SASL-auktoriseringes-id:t att använda. När GSSAPI/GSS-SPNEGO används " +"representerar detta Kerberos-huvudmannen som används för autentisering till " +"katalogen. Detta alternativ kan antingen innehålla den fullständiga " +"huvudmannen (till exempel host/minvärd@EXEMPEL.SE) eller bara " +"huvudmannanamnet (till exempel host/minvärd). Som standard är värdet inte " +"satt och följande huvudmän används: <placeholder type=\"programlisting\" id=" +"\"0\"/> Om ingen av dem kan hittas returneras den första huvudmannen i " +"keytab." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "Standard: authorizedService" +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" +msgstr "Standard: host/värdnamn@RIKE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (sträng)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:862 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" -"Om access_provider=ldap och ldap_access_order=host kommer SSSD använda " -"förekomsten av attributet host i användarens LDAP-post för att avgöra " -"åtkomstpriviligier." +"Ange SASL-riket att använda. När det inte anges får detta alternativ " +"standardvärdet från krb5_realm. Om ldap_sasl_authid också innehåller riket " +"ignoreras detta alternativ." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." -msgstr "" -"Ett explicit nekande (!host) avgörs först. Därefter söker SSSD efter " -"explicit tillåtelse (host) och slutligen efter allow_all (*)." +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "Standard: värdet på krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:877 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" -"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" -"emphasis> innehållla <quote>host</quote> för att alternativet " -"ldap_user_authorized_host skall fungera." +"Om satt till sant kommer LDAP-biblioteket utföra en omvänd uppslagning för " +"att ta fram värdnamnets kanoniska form under en SASL-bindning" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "Standard: host" +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Standard: false;" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "ldap_user_authorized_rhost (sträng)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 -msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" -"Om access_provider=ldap och ldap_access_order=rhost kommer SSSD använda " -"förekomsten av attributet rhost i användarens LDAP-post för att avgöra " -"åtkomstpriviligier." +"Ange den keytab som skall användas vid användning av SASL/GSSAPI/GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 -msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" -"Ett explicit nekande (!rhost) avgörs först. Därefter söker SSSD efter " -"explicit tillåtelse (rhost) och slutligen efter allow_all (*)." +"Standard: Systemets keytab, normalt <filename>/etc/krb5.keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:904 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" -"emphasis> innehållla <quote>rhost</quote> för att alternativet " -"ldap_user_authorized_rhost skall fungera." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" -msgstr "Standard: rhost" +"Anger att id-leverantören skall initiiera Kerberoskreditiv (TGT). Denna " +"åtgärd utförs endast om SASL används och den valda mekanismen är GSSAPI " +"eller GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" -msgstr "ldap_user_certificate (sträng)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." -msgstr "Namnet på LDAP-attributet som innehåller användarens X509-certifikat." +#: sssd-ldap.5.xml:919 +msgid "" +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +msgstr "" +"Anger livslängden i sekunder på TGT:n om GSSAPI eller GSS-SPNEGO används." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" -msgstr "Standard: userCertificate;binary" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Standard: 86400 (24 timmar)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "ldap_user_email (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." -msgstr "Namnet på LDAP-attributet som innehåller användarens e-postadress." +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:932 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"Observera: om en e-postadress för användaren står i konflikt med en e-" -"postadress eller fullt kvalificerat namn för en annan användare, då kommer " -"SSSD inte kunna serva dessa användare ordentligt. Om flera användare av " -"något skäl behöver dela samma e-postadress, sätt då detta attributnamn till " -"ett som inte finns för att avaktivera uppslagning/inloggning av användare " -"via e-post." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" -msgstr "Standard: mail" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (sträng)" +"Anger en kommaseparerad lista av IP-adresser eller värdnamn till " +"Kerberosservrar till vilka SSSD skall ansluta i prioritetsordning. För mer " +"information om reserver och serverredundans se avsnittet <quote>RESERVER</" +"quote>. Ett frivilligt portnummer (föregånget av ett kolon) kan läggas till " +"till adresserna eller värdnamnen. Om tomt aktiveras tjänsteupptäckt – för " +"mer information, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "Objektklassen hos en gruppost i LDAP." +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"När tjänsteupptäckt används för KDC eller kpasswd-servrar söker SSSD först " +"efter DNS-poster som anger _udp som protokoll och provar sedan _tcp om inget " +"hittas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Standard: posixGroup" +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Dettas alternativ hade namnet <quote>krb5_kdcip</quote> i tidigare utgåvor " +"av SSSD. Medan det äldre namnet känns igen tills vidare rekommenderas " +"användare att migrera sina konfigurationsfiler till att använda " +"<quote>krb5_server</quote> istället." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (sträng)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "LDAP-attributet som motsvarar gruppnamnet." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +msgstr "Ange Kerberos-RIKE (för SASL/GSSAPI/GSS-SPNEGO aut)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "Standard: cn (rfc2307, rfc2307bis och IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "Standard: Systemstandard, se <filename>/etc/krb5.conf</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (sträng)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "LDAP-attributet som motsvarar gruppens id." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"Anger om värdens huvudman skall göras kononisk vid anslutning till LDAP-" +"servern. Denna funktion är tillgänglig med MIT Kerberos ≥ 1.7" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (sträng)" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "LDAP-attributet som innehåller namnen på gruppens medlemmar." +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" +"Anger om SSSD skall instruera Kerberos-biblioteken om vilket rike och vilka " +"KDC:er som skall användas. Detta alternativ är på som standard, om du " +"avaktiverar det behöver du konfigurera Kerberos-biblioteket i " +"konfigurationsfilen <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "Standard: memberuid (rfc2307) / member (rfc2307bis)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" -msgstr "ldap_group_uuid (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." -msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-gruppobjekt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" -"LDAP-attributet som innehåller objectSID för ett LDAP-gruppobjekt. Detta är " -"normalt bara nödvändigt för Active Directory-servrar." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (sträng)" +"Se manualsidan <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> för mer information " +"om lokaliseringsinsticksmodulen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" -msgstr "ldap_group_type (heltal)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1017 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" -"LDAP-attributet som innehåller ett heltalsvärde som indikerar grupptypen och " -"kanske ondra flaggor." +"Välj policyn för att utvärdera utgång av lösenord på klientsidan. Följande " +"värden är tillåtna:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1022 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" -"Detta attribut används för närvarande bara av AD-leverantören för att avgöra " -"om en domänlokal grupp och behöver filtreras bort för betrodda domäner." +"<emphasis>none</emphasis> – Ingen utvärdering på klientsidan. Detta " +"alternativ kan inte avaktivera lösenordspolicyer på serversidan." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" -msgstr "Standard: groupType i AD-leverantören, inte satt annars" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "ldap_group_external_member (sträng)" +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> – Använd attribut i stilen " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> för att utvärdera om lösenordet har gått ut." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1033 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" -"LDAP-attributet som refererar gruppmedlemmar som är definierade i en extern " -"domän. För närvarande stödjs endast IPA:s externa medlemmar." +"<emphasis>mit_kerberos</emphasis> – Använd attributen som används av MIT " +"Kerberos för att avgöra om lösenordet har gått ut. Använd " +"chpass_provider=krb5 för att uppdatera dessa attribut när läsenordet ändras." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." -msgstr "Standard: ipaExternalMember i IPA-leverantören, inte satt annars" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" +"<emphasis>Obs</emphasis>: om en lösenordspolicy konfigureras på serversidan " +"kommer den alltid gå före framför policyn som sätts med detta alternativ." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (heltal)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 -msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." -msgstr "" -"Om ldap_schema är satt till ett schemaformat som stödjer nästade grupper (t." -"ex. RFC2307bis), då styr detta alternativ hur många nivåer av nästning SSSD " -"kommer följa. Detta alternativ har ingen effekt på schemat RFC2307." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "Anger huruvida automatisk uppföljning av referenser skall aktiveras." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1057 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" -"Obs: detta alternativ anger den garanterade nivån av nästade grupper som " -"skall bearbetas för en godtycklig uppslagning. Dock <emphasis>kan</" -"emphasis> nästade grupper utöver denna gräns returneras om tidigare " -"uppslagningar redan har slagit upp de djupare nästningsnivåerna. Följande " -"uppslagningar för andra grupper kan också utöka resultatmängden för den " -"ursprungliga uppslagningen om den slås upp igen." +"Observera att sssd endast stödjer uppföljning av referenser när den är " +"kompilerad med OpenLDAP version 2.4.13 eller senare." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1062 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" -"Om ldap_group_nesting_level sätts till 0 bearbetas inga nästade grupper " -"alls. Dock krävs det dessutom att användningen av Token-Groups avaktiveras " -"vid anslutning till Active-Directory Server 2008 och senare vid användning " -"av <quote>id_provider=ad</quote> genom att sätta ldap_use_togengroups till " -"false för att begränsa gruppnästning." +"Att följa upp referenser kan orsaka en prestandaförlust i miljöer som " +"använder dem mycket, ett notabelt exempel är Microsoft Active Directory. Om " +"din uppsättning inte faktiskt behöver använda referenser kan att sätta detta " +"alternativ till falskt medföra en märkbar prestandaförbättring." -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Standard: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 -msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -"Detta alternativ aktiverar eller avaktiverar användningen av attributet " -"Token-Groups när initgroup utförs för användare från Active Directory Server " -"2008 och senare." +"Anger tjänstenamnet som skall användas när tjänsteupptäckt är aktiverat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "Standard: true för AD och IPA annars false." +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Standard: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "Objektklassen hos en nätgruppspost i LDAP." +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." -msgstr "I IPA-leverantören skall ipa_netgroup_object_class användas istället." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Anger tjänstenamnet att använda för att hitta en LDAP-server som tillåter " +"lösenordsändringar när tjänsteupptäckte är aktiverat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "Standard: nisNetgroup" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Standard: inte satt, d.v.s. tjänsteupptäckt är avaktiverat" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "LDAP-attributet som motsvarar nätgruppnamnet." +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." -msgstr "I IPA-leverantören skall ipa_netgroup_name användas istället." +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"Anger huruvida attributet ldap_user_shadow_last_change skall uppdateras med " +"dagar sedan epoken efter en ändring av lösenord." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." -msgstr "LDAP-attributet som innehåller namnen på nätgruppens medlemmar." +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." -msgstr "I IPA-leverantören skall ipa_netgroup_member användas istället." +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" +"Om man använder access_provider = ldap och ldap_access_order = filter " +"(standard) är detta alternativ nödvändigt. Det anger ett LDAP-" +"sökfilterkriterium som måste uppfyllas för att användaren skall ges åtkomst " +"till denna värd. Om access_provider = ldap, ldap_access_order = filter och " +"detta alternativ inte är satt kommer det resultera i att alla användare " +"nekas åtkomst. Använd access_provider = permit för att ändra detta " +"standardbeteende. Observera att detta filter endast tillämpas på LDAP-" +"användarposten och därmed filter baserade på nestade grupper kanske inte " +"fungerar (t.ex. attributet memberOf i AD-poster pekar endast på direkta " +"föräldrar). Om filtrering baserad på nästade grupper behövs, se " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "Standard: memberNisNetgroup" +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Exempel:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1148 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" -"LDAP-attributet som innehåller nätgrupptrippeln (värd, användare, domän)." +"Detta exempel betyder att åtkomst till denna värd är begränsad till " +"användare vars attribut employeeType är satt till ”admin”." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." -msgstr "Detta alternativ är inte tillgängligt i IPA-leverantören." +#: sssd-ldap.5.xml:1153 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" +"Frånkopplad cachning för denna funktion är begränsad till att avgöra " +"huruvida användarens senaste uppkopplade inloggning tilläts " +"åtkomsträttigheter. Om de tilläts vid senaste inloggningen kommmer de " +"fortsätta ges åtkomst under frånkoppling, och vice versa." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Standard: nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (sträng)" +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "Standard: Empty" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" -msgstr "ldap_host_object_class (sträng)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." -msgstr "Objektklassen hos en värdpost i LDAP." +#: sssd-ldap.5.xml:1170 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Med detta alternativ kan en utvärdering på klientsidan av " +"åtkomststyrningsattribut aktiveras." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "Standard: ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" -msgstr "ldap_host_name (sträng)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Observera att det alltid är rekommenderat att använda åtkomstkontroll på " +"serversidan, d.v.s. LDAP-servern skall neka bindningsbegäran med en passande " +"felkod även om lösenordet är korrekt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." -msgstr "LDAP-attributet som motsvarar värdens namn." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" -msgstr "ldap_host_fqdn (sträng)" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "Följande värden är tillåtna:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1184 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" -"LDAP-attributet som motsvarar värdens fullständigt kvalificerade domännamn." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "Standard: fqdn" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" -msgstr "ldap_host_serverhostname (sträng)" +"<emphasis>shadow</emphasis>: använd värdet på ldap_user_shadow_expire för " +"att avgöra om kontot har gått ut." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" -msgstr "Standard: serverHostname" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" -msgstr "ldap_host_member_of (sträng)" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis>: använd värdet på 32-bitarsfältet " +"ldap_user_ad_user_account_control och tillåt åtkomst om den andra biten är " +"satt eller inte. Om attributet saknas tillåts åtkomst. Utgångstiden för " +"kontot kontrolleras också." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." -msgstr "LDAP-attributet som räknar upp värdens gruppmedlemskap." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "ldap_host_search_base (sträng)" +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: använd värdet på ldap_ns_account_lock för att avgöra om åtkomst " +"tillåts eller inte." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." -msgstr "Frivillig. Använd den givna strängen som en sökbas för värdobjekt." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: värdena på ldap_user_nds_login_allowed_time_map, " +"ldap_user_nds_login_disabled och ldap_user_nds_login_expiration_time används " +"för att avgöra om åtkomst tillåts. Om båda attributen saknas tillåts " +"åtkomst." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1211 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" -"Se <quote>ldap_search_base</quote> för information om konfiguration av " -"multipla sökbaser." - -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "Standard: värdet på <emphasis>ldap_search_base</emphasis>" +"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" +"emphasis> innehålla <quote>expire</quote> för att alternativet " +"ldap_account_expire_policy skall fungera." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" -msgstr "ldap_host_ssh_public_key (sträng)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." -msgstr "LDAP-attributet som innehåller värdens publika SSH-nycklar." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" -msgstr "ldap_host_uuid (sträng)" +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Kommaseparerad lista över åtkomststyrningsalternativ. Tillåtna värden är:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." -msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-värdobjekt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (sträng)" +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: använd ldap_access_filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." -msgstr "Objektklassen hos en servicepost i LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (sträng)" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" +"<emphasis>lockout</emphasis>: använd kontolåsning. Om satt nekar detta " +"alternativ åtkomst ifall ldap-attributet ”pwdAccountLockedTime” finns och " +"har värdet ”000001010000Z”. Se alternativet ldap_pwdlockout_dn. Observera " +"att ”access_provider = ldap” måste vara satt för att denna funktion skall " +"fungera." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1244 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" -"LDAP-attributet som innehåller namnet på tjänsteattribut och deras alias." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (sträng)" +"<emphasis>Observera att detta alternativ ersätts av alternativet " +"<quote>ppolicy</quote> och kan komma att tas bort i en framtida utgåva.</" +"emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." -msgstr "LDAP-attributet som innehåller porten som hanteras av denna tjänst." +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" +"<emphasis>ppolicy</emphasis>: använd kontolåsning. Om satt nekar detta " +"alternativ åtkomst ifall ldap-attributet ”pwdAccountLockedTime” finns och " +"har värdet ”000001010000Z” eller representerar en tidpunkt i det förgångna. " +"Värdet på attributet ”pwdAccountLockedTime” måste sluta med ”Z”, som " +"markerar tidszonen UTC. Andra tidszoner stödjs för närvarande inte och " +"kommer resultera i ”access-denied” när användare försöker logga in. Se " +"alternativet ldap_pwdlockout_dn. Observera att ”access_provider = ldap” " +"måste vara satt för att denna funktion skall fungera." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "Standard: ipServicePort" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (sträng)" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: använd ldap_account_expire_policy" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1272 msgid "" -"The LDAP attribute that contains the protocols understood by this service." -msgstr "LDAP-attributet som innehåller protokollen som denna tjänst förstår." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> Dessa alternativ är användbara om " +"användare vill bli varnade att lösenordet är på gång att gå ut och " +"autentisering är baserat på användning av en annan metod än lösenord – till " +"exempel SSH-nycklar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "Standard: ipServiceProtocol" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (heltal)" +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" +"Skillnadem mellan dessa alternativ är åtgärden som vidtas om användarens " +"lösenord gått ut: pwd_expire_policy_reject – användaren nekas att logga in, " +"pwd_expire_policy_warn – användaren kan fortfarande logga in, " +"pwd_expire_policy_renew – användaren ombeds ändra sitt lösenord omedelbart." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1290 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" -"Anger tiden (i sekunder) som ldap-sökningar tillåts köra före de annuleras " -"och cachade resultat returneras (och går in i frånkopplat läge)" +"Observera att om användarlösenordet har gått ut ges inget särskilt " +"meddelande av SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1294 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" -"Obs: detta alternativ kan komma att ändras i framtida versioner av SSSD. " -"Det kommer sannolikt ersättas vid någon tidpunkt med en serie tidsgränser " -"för specifika uppslagningstyper." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (heltal)" +"Observera att ”access_provider = ldap” måste vara satt för att denna " +"funktion skall fungera. ”ldap_pwd_policy” måste också vara satt till en " +"lämplig lösenordspolicy." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1299 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -"Anger tiden (i sekunder) som ldap-sökningar för användar- och " -"gruppuppräkningar tillåts köra före de annuleras och cachade resultat " -"returneras (och går in i frånkopplat läge)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (heltal)" +"<emphasis>authorized_service</emphasis>: använd attrobitet authorizedService " +"för att avgöra åtkomst" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 -msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" -"Anger tidsgränsen (i sekunder) efter vilken <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> som följer efter en <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returnerar om inget händer." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (heltal)" +"<emphasis>host</emphasis>: använd attributet host för att avgöra åtkomst" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1308 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -"Anger en tid (i sekunder) efter vilken anrop till synkrona LDAP API:er " -"kommer avbrytas om det inte kommer något svar. Styr även tidsgränsen vid " -"kommunikation med KDC:n i fallet SASL-bindningar, tidsgränsen för en LDAP-" -"bindningsoperation, utökad operation för lösenordsändring och StartTLS-" -"operationen." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (heltal)" +"<emphasis>rhost</emphasis>: använd attrobitet rhost för att avgöra huruvida " +"fjärrvärdar kan få åtkomst" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1312 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" -"Anger en tidsgräns (i sekunder) som en förbindelse med en LDAP-server kommer " -"underhållas. Efter den tiden kommer förbindelsen återetableras. Om den " -"används parallellt md SASL/GSSAPI kommer den tidigare av de två värdena " -"(detta värde eller TGT-livslängden) användas." +"Observera, rhost-fältet i pam sätts av programmet, det är bättre att " +"kontrollera vad programmet skickar till pam, före detta alternativ för " +"åtkomstkontroll aktiveras" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "Standard: 900 (15 minuter)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (heltal)" +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Standard: filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1320 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" -"Ange antalet poster som skall hämtas från LDAP i en enskild begäran. Några " -"LDAP-servrar framtvingar en maximal gräns per begäran." - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Standard: 1000" +"Observera att det är ett konfigurationsfel om ett värde används mer än en " +"gång." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (boolean)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 -msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." -msgstr "" -"Avaktivera flödesstyrningen (paging) av LDAP. Detta alternativ bör användas " -"om LDAP-servern rapporterar att den stödjer LDAP-flödesstyrning i sin " -"RootDSE men det inte är aktiverat eller inte fungerar som det skall." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 -msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." -msgstr "" -"Exempel: OpenLDAP-servrar med flödesstyrningsmodulen installerad på servern " -"men inte aktiverad kommer rapportera det i RootDSE:n men inte kunna använda " -"den." +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1330 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -"Exempel: 389 DS har ett fel där den endast kan stödja en flödesstyrning åt " -"gången på en enskild förbindelse. På aktiva klienter kan detta resultera i " -"att några begäranden nekas." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (boolean)" +"Detta alternativ anger DN för lösenordspolicyposten på LDAP-servern. Notera " +"att frånvaro av detta alternativ i sssd.conf när kontroll av kontolåsning är " +"aktiverat kommer att resultera i nekad åtkomst eftersom ppolicy-attribut på " +"LDAP-servern inte kan kontrolleras ordentligt. " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "Avaktivera Active Directory intervallhämtning." +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Exempel: cn=ppolicy,ou=policies,dc=exempel,dc=se" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 -msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." -msgstr "" -"Active Directory begränsar antalet medlemmar som kan hämtas i en enskild " -"uppslagning med policyn MaxValRange (vilket som standard är 1500 " -"medlemmar). Om en grupp innehåller fler medlemmar skulle svaret innehålla " -"en AD-specifik intervallutökning. Detta alternativ avaktiverar tolkning av " -"intervallutökningar, därför kommer stora grupper förefalla inte ha några " -"medlemmar." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "Standard: cn=ppolicy,ou=policies,$ldap_search_base" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (heltal)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#: sssd-ldap.5.xml:1350 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -"Vid kommunikation med en LDAP-server med SASL, ange den minsta " -"säkerhetsnivån som är nödvändig för att etablera förbindelsen. Värdet på " -"detta alternativ är definierat av OpenLDAP." +"Anger hur dereferering av alias görs när sökningar utförs. Följande " +"alternativ är tillåtna:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" -msgstr "Standard: använd systemstandard (vanligen angivet i ldap.conf)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (heltal)" +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis>: Alias är aldrig derefererade." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#: sssd-ldap.5.xml:1359 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" -"Ange antalet gruppmedlemmar som måste saknas i den interna cachen för att " -"orsaka en derefereringsuppslagning. Om färre medlemmar saknas slås de up " -"individuellt." +"<emphasis>searching</emphasis>: Alias derefereras i underordnade till " +"basobjektet, men inte vid lokalisering basobjektet för sökningen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 +#: sssd-ldap.5.xml:1364 msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -"Du kan slå av derefereringsuppslagningar helt genom att sätta värdet till " -"0. Observera att det finns några kodvägar i SSSD, som IPA HBAC-" -"leverantören, som endast är implementerade med derefereringsanropet, så att " -"även med dereferens uttryckligen avaktiverat kommer dessa delar åndå använda " -"dereferenser om servern stödjer det och annonserar derefereringsstyrning i " -"rootDSE-objektet." +"<emphasis>finding</emphasis>: Alias derefereras endast vid lokalisering av " +"basobjektet för sökningen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#: sssd-ldap.5.xml:1369 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" -"En derefereringsuppslagning är ett sätt att hämta alla gruppmedlemmar i ett " -"enda LDAP-anrop. Olika LDAP-servrar kan implementera olika " -"derefereringsmetoder. De servrar som stödjs för närvarande är 389(RHDS, " -"OpenLDAP och Active Directory." +"<emphasis>always</emphasis>: Alias derefereras både i sökning och i " +"lokalisering av basobjektet för sökningen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#: sssd-ldap.5.xml:1374 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" -"<emphasis>Obs:</emphasis> om någon av sökbaserna anger ett sökfilter, då " -"kommer prestandaförbättringen med derefereringsuppslagningar avaktiveras " -"oavsett denna inställning." +"Standard: Tomt (detta hanteras som <emphasis>never</emphasis> av LDAP-" +"klientbiblioteken)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (sträng)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 +#: sssd-ldap.5.xml:1385 msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -"Anger vilka kontroller som utförs av servercertifikat i en TLS-session, om " -"några. Det kan anges som ett av följande värden:" +"Tillåter att behålla lokala användare som medlemmar i en LDAP-grupp för " +"servrar som använder schemat RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#: sssd-ldap.5.xml:1389 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -"<emphasis>never</emphasis> = Klienten kommer inte begära eller kontrollera " -"några servercertifikat." +"I en del miljöer där schemat RFC2307 används görs lokala användare till " +"medlemmar i LDAP-grupper genom att lägga till deras namn till attributet " +"memberUid. Den interna konsistensen i domänen bryts när detta görs, så SSSD " +"skulle normalt ta bort de ”saknade” användarna från de cachade " +"gruppmedlemskapen så fort nsswitch försöker hämta information om användaren " +"via anrop av getpw*() eller initgroups()." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#: sssd-ldap.5.xml:1400 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -"<emphasis>allow</emphasis> = Servercertifikatet begärs. Om inget certifikat " -"tillhandahålls fortsätter sessionen normalt. Om ett felaktigt certifikat " -"tillhandahålls kommer det ignoreras och sessionen fortsätta normalt." +"Detta alternativ faller tillbaka på att kontrollera om lokala användare är " +"refererade, och cachar dem så att senare anrop av initgroups() kommer utöka " +"de lokala användarna med de extra LDAP-grupperna." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." -msgstr "" -"<emphasis>try</emphasis> = Servercertifikatet begärs. Om inget certifikat " -"tillhandahålls fortsätter sessionen normalt. Om ett felaktigt certifikat " -"tillhandahålls avslutas sessionen omedelbart." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "wildcard_limit (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#: sssd-ldap.5.xml:1415 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -"<emphasis>demand</emphasis> = Servercertifikatet begärs. Om inget " -"certifikat tillhandahålls eller ett felaktigt certifikat tillhandahålls " -"avslutas sessionen omedelbart." +"Anger en övre gräns på antalet poster som hämtas under en uppslagning med " +"jokertecken." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> = Samma som <quote>demand</quote>" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" +"För närvarande stödjer endast respondenten InfoPipe jockeruppslagningar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Standard: hard" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (sträng)" +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" +msgstr "Standard: 1000 (ofta storleken på en sida)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Anger filen som innehåller certifikat för alla Certifikatauktoriteterna som " -"<command>sssd</command> kommer godkänna." +"Alla de vanliga konfigurationsalternativen som gäller SSSD-domäner gäller " +"även LDAP-domäner. Se avsnittet <quote>DOMÄNSEKTIONER</quote> av " +"manualsidan <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> för fullständiga detaljer. " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "SUDOALTERNATIV" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"Standard: använd standardvärden för OpenLDAP, typiskt i <filename>/etc/" -"openldap/ldap.conf</filename>" +"De detaljerade instruktionerna för att konfigurera sudo-leverantören finns i " +"manualsidan <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (sträng)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" -"Anger sökvägen till en katalog som innehåller certifikat för " -"Certifikatauktoriteter i individuella filer. Typiskt måste filnamnen vara " -"konstrollsummor av certifikaten följda av ”.0”. Om det är tillgängligt kan " -"<command>cacertdir_rehash</command> användas för att skapa de korrekta " -"namnen." +"Hur många sekunder SSSD kommer vänta mellan körningar av fullständiga " +"uppdateringar av sudo-regler (som hämtar alla regler som är lagrade på " +"servern)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"Värdet måste vara större än <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." -msgstr "Anger filen som innehåller certifikatet för klientens nyckel." +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "Standard: 21600 (6 timmar)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (sträng)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "Anger filen som innehåller klientens nyckel." +#: sssd-ldap.5.xml:1468 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." +msgstr "" +"Hur många sekunder SSSD måste vänta mellan körningar av en smart uppdatering " +"av sudo-regler (som hämtar alla regler som har USN högre än serverns högsta " +"USN-värde som för närvarande är känt av SSSD)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" +"Om USN-attribut inte stödjs av servern används attributet modifyTimestamp " +"istället." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" -"Anger acceptabla chiffersviter. Typiskt är detta en kolonseparerad lista. " -"Se <citerefentry><refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> för formatet." +"<emphasis>Obs:</emphasis> det högsta USN-värdet kan uppdateras av tre " +"uppgifter: 1) Genom fullständig och smart sudo-uppdatering (om det finns " +"uppdaterade regler), 2) genom uppräkning av användare och grupper (om det " +"finns aktiverade och uppdaterade grupper) och 3) genom att återansluta till " +"servern (som standard var 15:e minut, se " +"<emphasis>ldap_connection_expire_timeout</emphasis>)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (boolean)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" -"Anger att id-leverantörsförbindelsen också måste använda <systemitem class=" -"\"protocol\">tls</systemitem> för att skydda kanalen." +"Om sann kommer SSSD hämta endast regler som är tillämpliga för denna maskin " +"(genom användning av IPv4- och IPv6-värd-/-nätverksadresser och värdnamn)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (boolean)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -"Anger att SSSD skall försöka översätta användar- och grupp-ID:n från " -"attributen ldap_user_objectsid och ldap_group_objectsid istället för att " -"förlita sig på ldap_user_uid_number och ldap_group_gid_number." +"Mellanrumsseparerad lista över värdnamn eller fullständigt kvalificerade " +"domännamn som skall användas för att filtrera reglerna." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" -"För närvarande stödjer denna funktion endast Active Direcotory objectSID" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" -msgstr "ldap_min_id, ldap_max_id (heltal)" +"Om detta alternativ är tomt kommer SSSD försöka upptäcka värdnamnet och det " +"fullständigt kvalificerade domännamnet automatiskt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -"I kontrast mot den SID-baserade ID-översättningen som används om " -"ldap_id_mapping är satt till sant är det tillåtna ID-intervallet för " -"ldap_user_uid_number och ldap_group_gid_number obegränsat. I en uppsättning " -"med underdomäner/betrodda domäner kan detta leda till ID-kollisioner. För " -"att undvika kollisioner kan ldap_min_id och ldap_max_id sättas till att " -"begränsa det tillåtna intervallet för ID:na som läses direkt från servern. " -"Underdomäner kan sedan välja andra intervall för att översätta ID:n." +"Om <emphasis>ldap_sudo_use_host_filter</emphasis> är <emphasis>false</" +"emphasis> har detta alternativ ingen effekt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" -msgstr "Standard: inte satt (båda alternativen är satta till 0)" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" +msgstr "Standard: inte angivet" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (sträng)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#: sssd-ldap.5.xml:1536 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -"Ange SASL-mekanismen att använda. För närvarande testas och stödjs endast " -"GSSAPI och GSS-SPNEGO." +"Mellanrumsseparerad lista över IPv4- eller IPv6 värd-/nätverksadresser som " +"skall användas för att filtrera reglerna." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#: sssd-ldap.5.xml:1541 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" -"Om bakänden stödjer underdomäner ärvs automatiskt värdet av ldap_sasl_mech " -"till underdomänerna. Om ett annat värde behövs för en underdomän kan det " -"skrivas över genom att sätta ldap_sasl_mech för denna underdomän explicit. " -"Se avsnittet SEKTIONEN BETRODDA DOMÄNER i <citerefentry><refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> för detaljer." +"Om detta alternativ är tomt kommer SSSD försöka upptäcka adresser " +"automatiskt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (sträng)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (boolean)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1559 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"värdnamn@RIKE\n" -"netbiosnamn$@RIKE\n" -"host/värdnamn@RIKE\n" -"*$@RIKE\n" -"host/*@RIKE\n" -"host/*\n" -" " +"Om sant kommer SSSD hämta varje regel som innehåller en nätgrupp i " +"attributet sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#: sssd-ldap.5.xml:1577 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"Ange SASL-auktoriseringes-id:t att använda. När GSSAPI/GSS-SPNEGO används " -"representerar detta Kerberos-huvudmannen som används för autentisering till " -"katalogen. Detta alternativ kan antingen innehålla den fullständiga " -"huvudmannen (till exempel host/minvärd@EXEMPEL.SE) eller bara " -"huvudmannanamnet (till exempel host/minvärd). Som standard är värdet inte " -"satt och följande huvudmän används: <placeholder type=\"programlisting\" id=" -"\"0\"/> Om ingen av dem kan hittas returneras den första huvudmannen i " -"keytab." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "Standard: host/värdnamn@RIKE" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (sträng)" +"Om sant kommer SSSD hämta varje regel som innehåller ett jokertecken i " +"attributet sudoHost." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -"Ange SASL-riket att använda. När det inte anges får detta alternativ " -"standardvärdet från krb5_realm. Om ldap_sasl_authid också innehåller riket " -"ignoreras detta alternativ." +"Att använda jokertecken är en operation som är väldigt dyr att evaluera på " +"LDAP-serversidan!" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "Standard: värdet på krb5_realm." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Denna manualsida beskriver endast attributnamnsöversättningar. För " +"detaljerade beskrivningar av semantiken hos sudo-relaterade attribut, se " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "AUTOFSALTERNATIV" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" -"Om satt till sant kommer LDAP-biblioteket utföra en omvänd uppslagning för " -"att ta fram värdnamnets kanoniska form under en SASL-bindning" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Standard: false;" +"Några av standardvärdena för parametrar nedan är beroende på LDAP-schemat." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (sträng)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." -msgstr "" -"Ange den keytab som skall användas vid användning av SASL/GSSAPI/GSS-SPNEGO." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." +msgstr "Namnet på automount master-kartan i LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" -msgstr "" -"Standard: Systemets keytab, normalt <filename>/etc/krb5.keytab</filename>" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "Standard: auto.master" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "AVANCERADE ALTERNATIV" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (boolean)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 -msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." -msgstr "" -"Anger att id-leverantören skall initiiera Kerberoskreditiv (TGT). Denna " -"åtgärd utförs endast om SASL används och den valda mekanismen är GSSAPI " -"eller GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (heltal)" +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -"Anger livslängden i sekunder på TGT:n om GSSAPI eller GSS-SPNEGO används." +"Om alternativet <quote>ldap_use_tokengroups</quote> är aktiverat kommer " +"sökningarna i Active Directory inte vara begränsade och returnera alla " +"gruppmedlemskap, även utan någon GID-översättning. Det rekommenderas att " +"avaktivera denna funktion om gruppnamn inte visas korrekt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Standard: 86400 (24 timmar)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" +msgstr "</note>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (sträng)" +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -"Anger en kommaseparerad lista av IP-adresser eller värdnamn till " -"Kerberosservrar till vilka SSSD skall ansluta i prioritetsordning. För mer " -"information om reserver och serverredundans se avsnittet <quote>RESERVER</" -"quote>. Ett frivilligt portnummer (föregånget av ett kolon) kan läggas till " -"till adresserna eller värdnamnen. Om tomt aktiveras tjänsteupptäckt – för " -"mer information, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." +"Dessa alternativ stödjs av LDAP-domäner, men de skall användas med " +"försiktighet. Inkludera dem endast i din konfiguration om du vet vad du " +"gör. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPEL" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -"När tjänsteupptäckt används för KDC eller kpasswd-servrar söker SSSD först " -"efter DNS-poster som anger _udp som protokoll och provar sedan _tcp om inget " -"hittas." +"Följande exempel antar att SSSD är korrekt konfigurerat och att LDAP är satt " +"till en av domänerna i avsnittet <replaceable>[domains]</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Dettas alternativ hade namnet <quote>krb5_kdcip</quote> i tidigare utgåvor " -"av SSSD. Medan det äldre namnet känns igen tills vidare rekommenderas " -"användare att migrera sina konfigurationsfiler till att använda " -"<quote>krb5_server</quote> istället." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." -msgstr "Ange Kerberos-RIKE (för SASL/GSSAPI/GSS-SPNEGO aut)." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mindomän.se\n" +"ldap_search_base = dc=mindomän,dc=se\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" -msgstr "Standard: Systemstandard, se <filename>/etc/krb5.conf</filename>" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "LDAP-ÅTKOMSTFILTEREXEMPEL" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -"Anger om värdens huvudman skall göras kononisk vid anslutning till LDAP-" -"servern. Denna funktion är tillgänglig med MIT Kerberos ≥ 1.7" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (boolean)" +"Följande exempel antar att SSSD är korrekt konfigurerat och att " +"ldap_access_order=lockout används." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Anger om SSSD skall instruera Kerberos-biblioteken om vilket rike och vilka " -"KDC:er som skall användas. Detta alternativ är på som standard, om du " -"avaktiverar det behöver du konfigurera Kerberos-biblioteket i " -"konfigurationsfilen <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mindomän,dc=se\n" +"ldap_uri = ldap://ldap.mindomän.se\n" +"ldap_search_base = dc=mindomän,dc=se\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTER" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -"Se manualsidan <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> för mer information " -"om lokaliseringsinsticksmodulen." +"Beskrivningarna av en del konfigurationsalternativ i denna manualsida är " +"baserade på manualsidan <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> från distributionen " +"OpenLDAP 2.4." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (sträng)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "PAM-modul för SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -"Välj policyn för att utvärdera utgång av lösenord på klientsidan. Följande " -"värden är tillåtna:" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -"<emphasis>none</emphasis> – Ingen utvärdering på klientsidan. Detta " -"alternativ kan inte avaktivera lösenordspolicyer på serversidan." +"<command>pam_sss.so</command> är PAM-gränssnittet till System Security " +"Services daemon (SSSD). Fel och resultat loggas via <command>syslog(3)</" +"command> med funktionen LOG_AUTHPRIV." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "Umdertryck loggmeddelanden om okända användare." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -"<emphasis>shadow</emphasis> – Använd attribut i stilen " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> för att utvärdera om lösenordet har gått ut." +"Om <option>forward_pass</option> är satt läggs det inskrivna lösenordet på " +"stacken så att andra PAM-moduler kan använda det." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -"<emphasis>mit_kerberos</emphasis> – Använd attributen som används av MIT " -"Kerberos för att avgöra om lösenordet har gått ut. Använd " -"chpass_provider=krb5 för att uppdatera dessa attribut när läsenordet ändras." +"Argumentet use_first_pass tvingar modulen att använda tidigare stackade " +"modulers lösenord och kommer aldrig fråga användaren – om inget lösenord är " +"tillgängligt eller lösenordet inte stämmer kommer användaren nekas åtkomst." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -"<emphasis>Obs</emphasis>: om en lösenordspolicy konfigureras på serversidan " -"kommer den alltid gå före framför policyn som sätts med detta alternativ." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (boolean)" +"Vid lösenordsändring tvinga modulen till att sätta det nya lösenordet till " +"det som gavs av en tidigare stackad lösenordsmodul." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." -msgstr "Anger huruvida automatisk uppföljning av referenser skall aktiveras." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -"Observera att sssd endast stödjer uppföljning av referenser när den är " -"kompilerad med OpenLDAP version 2.4.13 eller senare." +"Om angivet frågas användaren ytterligare N gånger om ett lösenord ifall " +"autentiseringen misslyckas. Standard är 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -"Att följa upp referenser kan orsaka en prestandaförlust i miljöer som " -"använder dem mycket, ett notabelt exempel är Microsoft Active Directory. Om " -"din uppsättning inte faktiskt behöver använda referenser kan att sätta detta " -"alternativ till falskt medföra en märkbar prestandaförbättring." +"Observera att detta alternativ kanske inte fungerar som förväntat ifall " +"programmet som anropar PAM hanterar användaredialogen själv. Ett typiskt " +"exempel är <command>sshd</command> med <option>PasswordAuthentication</" +"option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -"Anger tjänstenamnet som skall användas när tjänsteupptäckt är aktiverat." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Standard: ldap" +"Om detta alternativ anges och användaren inte finns kommer PAM-modulen " +"returnera PAM_IGNORE. Detta får PAM-ramverket att ignorera denna modul." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -"Anger tjänstenamnet att använda för att hitta en LDAP-server som tillåter " -"lösenordsändringar när tjänsteupptäckte är aktiverat." +"Anger att PAM-modulen skall returnera PAM_IGNORE om det inte kan kontakta " +"SSSD-demonen. Detta får PAM-ramverket att ignorera denna modul." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" -msgstr "Standard: inte satt, d.v.s. tjänsteupptäckt är avaktiverat" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" +msgstr "<option>domains</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" +"Tillåter administratören att begränsa domänerna en viss PAM-tjänst tillåts " +"autentisera emot. Formatet är en kommaseparerad lista över SSSD-domännamn " +"som de specificeras i filen sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -"Anger huruvida attributet ldap_user_shadow_last_change skall uppdateras med " -"dagar sedan epoken efter en ändring av lösenord." +"OBS: Måste användas tillsammans med flaggorna <quote>pam_trusted_users</" +"quote> och <quote>pam_public_domains</quote>. Se manualsidan <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> för mer information om dessa två PAM-respondentalternativ." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "<option>allow_missing_name</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -"Om man använder access_provider = ldap och ldap_access_order = filter " -"(standard) är detta alternativ nödvändigt. Det anger ett LDAP-" -"sökfilterkriterium som måste uppfyllas för att användaren skall ges åtkomst " -"till denna värd. Om access_provider = ldap, ldap_access_order = filter och " -"detta alternativ inte är satt kommer det resultera i att alla användare " -"nekas åtkomst. Använd access_provider = permit för att ändra detta " -"standardbeteende. Observera att detta filter endast tillämpas på LDAP-" -"användarposten och därmed filter baserade på nestade grupper kanske inte " -"fungerar (t.ex. attributet memberOf i AD-poster pekar endast på direkta " -"föräldrar). Om filtrering baserad på nästade grupper behövs, se " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Exempel:" +"Huvudsyftet med denna flagga är att låta SSSD avgöra användarnamnet baserat " +"på ytterligare information, t.ex. certifikatet från ett smartkort." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 #, no-wrap msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" +"auth sufficient pam_sss.so allow_missing_name\n" " " msgstr "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" +"auth sufficient pam_sss.so allow_missing_name\n" " " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -"Detta exempel betyder att åtkomst till denna värd är begränsad till " -"användare vars attribut employeeType är satt till ”admin”." +"Det aktuella användningsfallet är inloggningshanterare som kan övervaka en " +"smartkortläsare om korthändelser. Ifall en smartkort sätts in kommer " +"inloggningshanteraren anropa en PAM-stack som innehåller en rad som " +"<placeholder type=\"programlisting\" id=\"0\"/> I detta fall kommer SSSD " +"färsäla avgära användarnamnet baserat på innehållet på smartkortet, " +"returnerar det till pam_sss som slutligen kommer läga det på PAM-stacken." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" +msgstr "<option>prompt_always</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -"Frånkopplad cachning för denna funktion är begränsad till att avgöra " -"huruvida användarens senaste uppkopplade inloggning tilläts " -"åtkomsträttigheter. Om de tilläts vid senaste inloggningen kommmer de " -"fortsätta ges åtkomst under frånkoppling, och vice versa." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "Standard: Empty" +"Fråga alltid användaren om kreditiv. Med denna flagga kommer kreditiv " +"begärda av andra PAM-moduler, typiskt ett lösenord, ignoreras och pam_sss " +"kommer fråga efter kreditiv igen. Baserat på förautentiseringssvaret från " +"SSSD kan pam_sss komma att fråga efter ett lösenord, ett smartkorts-PIN " +"eller andra kreditiv." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" +msgstr "<option>try_cert_auth</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -"Med detta alternativ kan en utvärdering på klientsidan av " -"åtkomststyrningsattribut aktiveras." +"Försök använda certifikatbaserad smartkortsautentisering, d.v.s. " +"autentisering med smartkort eller liknande enheter. Om ett smartkort är " +"tillgängligt och tjänsten tillåter smartkortsautentisering kommer användaren " +"frågas om ett PIN och certifikatbaserad autentisering kommer fortsätta" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -"Observera att det alltid är rekommenderat att använda åtkomstkontroll på " -"serversidan, d.v.s. LDAP-servern skall neka bindningsbegäran med en passande " -"felkod även om lösenordet är korrekt." +"Om inget smartkort är tillgängligt eller certifikatbaserad autentisering " +"inte är tillåten för den aktuella tjänsten returneras PAM_AUTHINFO_UNAVAIL." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "Följande värden är tillåtna:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" +msgstr "<option>require_cert_auth</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"<emphasis>shadow</emphasis>: använd värdet på ldap_user_shadow_expire för " -"att avgöra om kontot har gått ut." +"Använd certifikatbaserad autentisering, d.v.s. autentisering med smartkort " +"eller liknande enheter. Om ett smartkort inte är tillgängligt ombeds " +"användaren att sätta in ett. SSSD kommer att vänta på ett smartkort tills " +"tidsgränsen definierad av p11_wait_for_card_timeout har passerats, se " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> för detaljer." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -"<emphasis>ad</emphasis>: använd värdet på 32-bitarsfältet " -"ldap_user_ad_user_account_control och tillåt åtkomst om den andra biten är " -"satt eller inte. Om attributet saknas tillåts åtkomst. Utgångstiden för " -"kontot kontrolleras också." +"Om inget smartkort är tillgängligt efter att tidsgränsen eller om " +"certifikatbaserad autentisering inte är tillåten för den aktuella tjänsten " +"returneras PAM_AUTHINFO_UNAVAIL." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 -msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." -msgstr "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: använd värdet på ldap_ns_account_lock för att avgöra om åtkomst " -"tillåts eller inte." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "TILLHANDAHÅLLNA MODULTYPER" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -"<emphasis>nds</emphasis>: värdena på ldap_user_nds_login_allowed_time_map, " -"ldap_user_nds_login_disabled och ldap_user_nds_login_expiration_time används " -"för att avgöra om åtkomst tillåts. Om båda attributen saknas tillåts " -"åtkomst." +"Alla modultyper (<option>account</option>, <option>auth</option>, " +"<option>password</option> och <option>session</option>) tillhandahålls." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" -"emphasis> innehålla <quote>expire</quote> för att alternativet " -"ldap_account_expire_policy skall fungera." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" -msgstr "" -"Kommaseparerad lista över åtkomststyrningsalternativ. Tillåtna värden är:" +"Om SSSD:s PAM-respondent inte kör, t.ex. om PAM-responentens uttag (socket) " +"inte är tillgängligt kommer pam_sss returnera PAM_USER_UNKNOWN när det " +"anropas som modulen <option>account</option> för att undvika problem med " +"användare från andra källor under åtkomstkontroll." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filter</emphasis>: använd ldap_access_filter" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "FILER" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"<emphasis>lockout</emphasis>: använd kontolåsning. Om satt nekar detta " -"alternativ åtkomst ifall ldap-attributet ”pwdAccountLockedTime” finns och " -"har värdet ”000001010000Z”. Se alternativet ldap_pwdlockout_dn. Observera " -"att ”access_provider = ldap” måste vara satt för att denna funktion skall " -"fungera." +"Om en återställning av lösenord av root misslyckas, för att motsvarande SSSD-" +"leverantör inte stödjer återställning av lösenord, kan ett individuellt " +"meddelande visas. Detta meddelande kan t.ex. innehålla instruktioner hur " +"man återställer ett lösenord." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"<emphasis>Observera att detta alternativ ersätts av alternativet " -"<quote>ppolicy</quote> och kan komma att tas bort i en framtida utgåva.</" -"emphasis>" +"Meddelandet läses från filen <filename>pam_sss_pw_reset_message.LOK</" +"filename> där LOK står för en lokalsträng som den returneras av " +"<citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" +"manvolnum> </citerefentry>. Om det inte finns någon matchande fil visas " +"innehållet i <filename>pam_sss_pw_reset_message.txt</filename>. Root måste " +"vara ägaren av filerna och endast root får ha läs- och skrivrättigheter " +"medan alla andra användare endast får ha läsrättigheter." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -"<emphasis>ppolicy</emphasis>: använd kontolåsning. Om satt nekar detta " -"alternativ åtkomst ifall ldap-attributet ”pwdAccountLockedTime” finns och " -"har värdet ”000001010000Z” eller representerar en tidpunkt i det förgångna. " -"Värdet på attributet ”pwdAccountLockedTime” måste sluta med ”Z”, som " -"markerar tidszonen UTC. Andra tidszoner stödjs för närvarande inte och " -"kommer resultera i ”access-denied” när användare försöker logga in. Se " -"alternativet ldap_pwdlockout_dn. Observera att ”access_provider = ldap” " -"måste vara satt för att denna funktion skall fungera." +"Man letar efter dessa filer i katalogen <filename>/etc/sssd/customize/" +"DOMÄNNAMN/</filename>. Om ingen matchande fil finns visas ett allmänt " +"meddelande." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "<emphasis>expire</emphasis>: använd ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." -msgstr "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> Dessa alternativ är användbara om " -"användare vill bli varnade att lösenordet är på gång att gå ut och " -"autentisering är baserat på användning av en annan metod än lösenord – till " -"exempel SSH-nycklar." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Kerberos lokaliseringsinsticksmodul" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -"Skillnadem mellan dessa alternativ är åtgärden som vidtas om användarens " -"lösenord gått ut: pwd_expire_policy_reject – användaren nekas att logga in, " -"pwd_expire_policy_warn – användaren kan fortfarande logga in, " -"pwd_expire_policy_renew – användaren ombeds ändra sitt lösenord omedelbart." +"Kerberos lokaliseringsinsticksmodul <command>sssd_krb5_locator_plugin</" +"command> används av libkrb5 för att hitta KDC:er för ett givet Kerberos-" +"rike. SSSD tillhandahåller en sådan insticksmodul för att styra alla " +"Kerberos-klienter på ett system till en ensam KDC. I allmänhet skall det " +"inte ha någon betydelse vilken KDC en klientprocess pratar med. Men det " +"finns fall, t.ex. efter en lösenordsändring, då inte alla KDC:er är i samma " +"tillstånd för att den nya datan måste spridas först. För att undvika " +"oväntade autentiseringsfel och kanske även kontolåsningar kan det vara bra " +"att prata med en enskild KDC så länge som möjligt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -"Observera att om användarlösenordet har gått ut ges inget särskilt " -"meddelande av SSSD." +"libkrb5 kommer söka efter lokaliseringsinsticksmodulen i underkatalogen " +"libkrb5 till Kerberos katalog för insticksmoduler, se plugin_base_dir i " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> för detaljer. Insticksmodulen kan endast " +"avaktiveras genom att ta bort filen med insticksmodulen. Det finns ingen " +"möjlighet att avaktivera den i Kerberos konfiguration. Men miljövariabeln " +"SSSD_KRB5_LOCATOR_DISABLE kan användas för att avaktivera insticksmodulen " +"för individuella kommandon. Alternativt kan SSSD-alternativet " +"krb5_use_kdcinfo=False användas för att inte generera de data som behövs av " +"insticksmodulen. Med denna anropas fortfarande intsticksmodulen men den " +"tillhandahåller inga data till anroparen så att libkrb5 kan falla tillbaka " +"på andra metoder som är definierade i krb5.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -"Observera att ”access_provider = ldap” måste vara satt för att denna " -"funktion skall fungera. ”ldap_pwd_policy” måste också vara satt till en " -"lämplig lösenordspolicy." +"Insticksmodulen läser information om KDC:erna för ett givet rike från en fil " +"som heter <filename>kdcinfo.RIKE</filename>. Filen skall innehålla ett " +"eller flera DNS-namn eller IP-adresser antingen i punktad decimal IPv4-" +"notation eller den hexadecimal IPv6-nodationen. Ett frivilligt portnummer " +"kan läggas till på slutet separerat av ett kolon, IPv6-adressen måste " +"inneslutas i hakparenteser i detta fall som vanligt. Giltiga poster är:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 -msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" -msgstr "" -"<emphasis>authorized_service</emphasis>: använd attrobitet authorizedService " -"för att avgöra åtkomst" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" +msgstr "kdc.exempel.se" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" -msgstr "" -"<emphasis>host</emphasis>: använd attributet host för att avgöra åtkomst" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" +msgstr "kdc.exempel.se:321" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 -msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" -msgstr "" -"<emphasis>rhost</emphasis>: använd attrobitet rhost för att avgöra huruvida " -"fjärrvärdar kan få åtkomst" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "1.2.3.4" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 -msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" -"Observera, rhost-fältet i pam sätts av programmet, det är bättre att " -"kontrollera vad programmet skickar till pam, före detta alternativ för " -"åtkomstkontroll aktiveras" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" +msgstr "5.6.7.8:99" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Standard: filter" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" +msgstr "2001:db8:85a3::8a2e:370:7334" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" +msgstr "[2001:db8:85a3::8a2e:370:7334]:321" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -"Observera att det är ett konfigurationsfel om ett värde används mer än en " -"gång." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" -msgstr "ldap_pwdlockout_dn (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 -msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" -"Detta alternativ anger DN för lösenordspolicyposten på LDAP-servern. Notera " -"att frånvaro av detta alternativ i sssd.conf när kontroll av kontolåsning är " -"aktiverat kommer att resultera i nekad åtkomst eftersom ppolicy-attribut på " -"LDAP-servern inte kan kontrolleras ordentligt. " - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" -msgstr "Exempel: cn=ppolicy,ou=policies,dc=exempel,dc=se" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" -msgstr "Standard: cn=ppolicy,ou=policies,$ldap_search_base" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (sträng)" +"SSSD:s krb5-autentiseringsleverantör som också används av IPA- och AD-" +"leverantörerna lägger till adresser till den aktuella KDC- eller " +"domänkontrollern SSSD använder till denna fil. " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -"Anger hur dereferering av alias görs när sökningar utförs. Följande " -"alternativ är tillåtna:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." -msgstr "<emphasis>never</emphasis>: Alias är aldrig derefererade." +"I miljöer med KDC:er som endast är för läsning och för läsning och skrivning " +"där klienter förväntas använda instanser endast för läsning för allmänna " +"operationer och endast KDC:n för läsning och skrivning för " +"konfigurationsändringar som lösenordsändringar används även en " +"<filename>kpasswdinfo.RIKE</filename> för att identifiera KDC:er för läsning " +"och skrivning. Om denna fill fins för det givna riket kommer innehållet " +"användas av insticksmodulen för att svara på begäranden om en kpasswd- eller " +"kadmin-server eller om den huvud-KDC:n spedifik för MIT Kerberos. Om " +"adressen innehåller ett portnummer kommer standard-KDC-porten 88 användas " +"för det senare." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -"<emphasis>searching</emphasis>: Alias derefereras i underordnade till " -"basobjektet, men inte vid lokalisering basobjektet för sökningen." +"Inte alla Kerberosimplementationer stödjer användningen av insticksmoduler. " +"Om <command>sssd_krb5_locator_plugin</command> inte är gilltänglig på ditt " +"system måste du redigera /etc/krb5.conf för att avspegla din " +"Kerberosuppsättning." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -"<emphasis>finding</emphasis>: Alias derefereras endast vid lokalisering av " -"basobjektet för sökningen." +"Om miljövariabeln SSSD_KRB5_LOCATOR_DEBUG är satt till något värde kommer " +"felsökningsmeddelanden skrivas till standard fel." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -"<emphasis>always</emphasis>: Alias derefereras både i sökning och i " -"lokalisering av basobjektet för sökningen." +"Om miljövariabeln SSSD_KRB5_LOCATOR_DISABLE är satt till något värde " +"avaktiveras insticksmodulen och kommer bara returnera KRB5_PLUGIN_NO_HANDLE " +"till anroparen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -"Standard: Tomt (detta hanteras som <emphasis>never</emphasis> av LDAP-" -"klientbiblioteken)" +"Om miljövariabeln SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES är satt till något " +"värde kommer insticksmodulen försöka slå upp alla DNS-namn i filen kdcinfo. " +"Som standard returneras KRB5_PLUGIN_NO_HANDLE till anroparen omedelbart vid " +"den första misslyckade DNS-uppslagningen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." -msgstr "" -"Tillåter att behålla lokala användare som medlemmar i en LDAP-grupp för " -"servrar som använder schemat RFC2307." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "konfigurationsfilen för SSSD:s åtkomststyrningleverantör ”simple”" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -"I en del miljöer där schemat RFC2307 används görs lokala användare till " -"medlemmar i LDAP-grupper genom att lägga till deras namn till attributet " -"memberUid. Den interna konsistensen i domänen bryts när detta görs, så SSSD " -"skulle normalt ta bort de ”saknade” användarna från de cachade " -"gruppmedlemskapen så fort nsswitch försöker hämta information om användaren " -"via anrop av getpw*() eller initgroups()." +"Denna manualsida besriver konfigurationen av åtkomststyrningsleverantören " +"simple till <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. För en detaljerad referens om syntaxen, se " +"avsnittet <quote>FILFORMAT</quote> i manualsidan <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -"Detta alternativ faller tillbaka på att kontrollera om lokala användare är " -"refererade, och cachar dem så att senare anrop av initgroups() kommer utöka " -"de lokala användarna med de extra LDAP-grupperna." +"Åtkomstleverantören simple tillåter eller nekar åtkomst baserat på en " +"åtkomst- eller nekandelista över användar- eller gruppnamn. Följande regler " +"är tillämpliga:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" -msgstr "wildcard_limit (heltal)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Om alla listor är timma tillåts åtkomst" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" -"Anger en övre gräns på antalet poster som hämtas under en uppslagning med " -"jokertecken." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -"För närvarande stödjer endast respondenten InfoPipe jockeruppslagningar." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" -msgstr "Standard: 1000 (ofta storleken på en sida)" +"Om någon lista tillhandahålls är evalueringsordningen allow,deny. Detta " +"betyder att en deny-regel som matchar kommer gå före en eventuell matchande " +"allow-regel." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -"Alla de vanliga konfigurationsalternativen som gäller SSSD-domäner gäller " -"även LDAP-domäner. Se avsnittet <quote>DOMÄNSEKTIONER</quote> av " -"manualsidan <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> för fullständiga detaljer. " -"<placeholder type=\"variablelist\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "SUDOALTERNATIV" +"Om antingen den ena eller båda ”tillåtelselistorna” tillhandahålls nekas " +"alla användare om de inte förekommer i listan." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" -"De detaljerade instruktionerna för att konfigurera sudo-leverantören finns i " -"manualsidan <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"Om endast ”nekandelistor” tillhandahålls tillåts alla användare åtkomst om " +"de inte förekommer i listan." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." -msgstr "Objektklassen hos en sudo-regelpost i LDAP." +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "Standard: sudoRole" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "Kommaseparerad lista över användare som tillåts att logga in." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (sträng)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." -msgstr "LDAP-attributet som motsvarar sudo-regelnamnet." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "Kommaseparerad lista över användare som explicit nekas åtkomst." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "LDAP-attributet som motsvarar kommandonamnet." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "Standard: sudoCommand" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (sträng)" +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#: sssd-simple.5.xml:100 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -"LDAP-attributet som motsvarar värdnamnet (eller värdens IP-adress, värdens " -"IP-nätverk eller värdens nätgrupp)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "Standard: sudoHost" +"Kommaseparerad lista över grupper som tillåts logga in. Detta är endast " +"tillämpligt på grupper i denna SSSD-domän. Lokala grupper utvärderas inte." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (sträng)" +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#: sssd-simple.5.xml:111 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -"LDAP-attributet som motsvarar användarnamnet (eller UID, gruppnamnet eller " -"användarens nätgrupp)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "Standard: sudoUser" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." -msgstr "LDAP-attributet som motsvarar sudo-alternativen.." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "Standard: sudoOption" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (sträng)" +"Kommaseparerad lista över grupper som nekas åtkost. Detta är endast " +"tillämpligt på grupper i denna SSSD-domän. Lokala grupper utvärderas inte." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"LDAP-attributet som motsvarar användarnamnet som kommandon får köras som." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "Standard: sudoRunAsUser" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (sträng)" +"Se <quote>DOMÄNSEKTIONER</quote> i manualsidan <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> för detaljer om konfigurationen av en SSSD-domän. " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -"LDAP-attributet som motsvarar gruppnamnet eller grupp-GID:t som kommandon " -"får köras som." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "Standard: sudoRunAsGroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (sträng)" +"Att inte ange några värden för någon av listorna är likvärdigt med att hoppa " +"över det helt. Var medveten om detta när parametrar genereras för " +"leverantören simple med automatiserade skript." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -"LDAP-attributet som motsvarar startdagen/-tiden då sudo-regeln är giltig." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "Standard: sudoNotBefore" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (sträng)" +"Observera att det är ett konfigurationsfel om båda, simple_allow_users och " +"simple_deny_users, är definierade." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -"LDAP-attributet som motsvarar utgångsdagen/-tiden då sudo-regeln inte " -"längre är giltig." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "Standard: sudoNotAfter" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." -msgstr "LDAP-attributet som motsvarar ordningsindexet för regeln." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "Standard: sudoOrder" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (heltal)" +"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se " +"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Dessa " +"exempel visar endast alternativ som är specifika för åtkomstleverantören " +"simple." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -"Hur många sekunder SSSD kommer vänta mellan körningar av fullständiga " -"uppdateringar av sudo-regler (som hämtar alla regler som är lagrade på " -"servern)." +"[domain/exempel.se]\n" +"access_provider = simple\n" +"simple_allow_users = användare1, användare2\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -"Värdet måste vara större än <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +"Den fullständiga gruppmedlemsskapshierarkin löses upp före " +"åtkomstkontrollen, alltså kan även nästade grupper inkluderas i " +"åtkomstlistorna. Var medveten om att alternativet " +"<quote>ldap_group_nesting_level</quote> kan påverka resultaten och skall " +"sättas till ett tillräckligt värde. (<citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle><manvolnum>5</manvolnum> </citerefentry>)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "Standard: 21600 (6 timmar)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "sss-certmap" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (heltal)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "SSSD:s certifikatmatchnings- och -mappningsregler" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -"Hur många sekunder SSSD måste vänta mellan körningar av en smart uppdatering " -"av sudo-regler (som hämtar alla regler som har USN högre än serverns högsta " -"USN-värde som för närvarande är känt av SSSD)." +"Manualsidan beskriver reglerna som kan användas av SSSD och andra " +"komponenter för att matcha X.509-certifikat och koppla dem till konton." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -"Om USN-attribut inte stödjs av servern används attributet modifyTimestamp " -"istället." +"Varje regel har fyra komponenter, en <quote>prioritet</quote>, en " +"<quote>matchningsregel</quote>, en <quote>mappningsregel</quote> och en " +"<quote>domänlista</quote>. Alla komponenter är frivilliga. En saknad " +"<quote>prioritet</quote> kommer lägga till regel med den lägsta " +"prioriteten. Standard-<quote>matchningsregeln</quote> kommer matcha " +"certifikat med digitalSignature-nyckelanvändning och clientAuth-" +"utökadnyckelanvändning. Om <quote>mappningsregeln</quote> är tom kommer " +"certifikaten sökas efter i attrubutet userCertificate som DER-kodade " +"binärer. Om inga domäner anges kommer endast den lokala domänen sökas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." -msgstr "" -"<emphasis>Obs:</emphasis> det högsta USN-värdet kan uppdateras av tre " -"uppgifter: 1) Genom fullständig och smart sudo-uppdatering (om det finns " -"uppdaterade regler), 2) genom uppräkning av användare och grupper (om det " -"finns aktiverade och uppdaterade grupper) och 3) genom att återansluta till " -"servern (som standard var 15:e minut, se " -"<emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "REGELKOMPONENTER" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "PRIORITET" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -"Om sann kommer SSSD hämta endast regler som är tillämpliga för denna maskin " -"(genom användning av IPv4- och IPv6-värd-/-nätverksadresser och värdnamn)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (sträng)" +"Reglerna bearbetas i prioritetsordning där ”0” (noll) indikerar den högsta " +"prioriteten. Ju högre talet är desto lägre är prioriteten. Ett saknat " +"värde indikerar den lägsta prioriteten. Regelbearbetningen stoppas när en " +"regel som matchar hittas och inga ytterligare regler kontrolleras." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -"Mellanrumsseparerad lista över värdnamn eller fullständigt kvalificerade " -"domännamn som skall användas för att filtrera reglerna." +"Internt behandlas prioriteten som teckenlösa 32-bitars heltal, att använda " +"ett prioritetsvärde större än 4294967295 kommer orsaka ett fel." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." -msgstr "" -"Om detta alternativ är tomt kommer SSSD försöka upptäcka värdnamnet och det " -"fullständigt kvalificerade domännamnet automatiskt." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "MATCHNINGSREGEL" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -"Om <emphasis>ldap_sudo_use_host_filter</emphasis> är <emphasis>false</" -"emphasis> har detta alternativ ingen effekt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "Standard: inte angivet" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (sträng)" +"Matchningsregeln används för att välja ett certifikat som " +"översättningsregeln skall tillämpas på. Det använder ett system liknande " +"det som används av alternativet <quote>pkinit_cert_match</quote> i MIT " +"Kerberos. Det består av ett nyckelord omgivet av ”<” och ”>” som " +"identifierar en specifik del av certifikatet och ett mönster som skall " +"finnas för att regeln skall matcha. Flera nyckelord/mönster-par kan " +"antingen sammanfogas med ”&&” (och) eller ”||” (eller)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." -msgstr "" -"Mellanrumsseparerad lista över IPv4- eller IPv6 värd-/nätverksadresser som " -"skall användas för att filtrera reglerna." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "<SUBJECT>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -"Om detta alternativ är tomt kommer SSSD försöka upptäcka adresser " -"automatiskt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "ldap_sudo_include_netgroups (boolean)" +"Med denna kan en del eller hela certifikatets subject-namn matchas. För " +"matchningen används POSIX syntax för utökade reguljära uttryck, se regex(7) " +"för detaljer." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -"Om sant kommer SSSD hämta varje regel som innehåller en nätgrupp i " -"attributet sudoHost." +"För matchningen konverteras subject-namnet lagrat i certifikatet i DER-kodad " +"ASN.1 till en sträng i enlighet med RFC 4514. Detta betyder att den mest " +"specifika namnkomponenten kommer först. Observera att inte alla möjliga " +"attributnamn täcks av RFC 4514. De inkluderade namnen är ”CN”, ”L”, ”ST”, " +"”O”, ”OU”, ”C”, ”STREET”, ”DC” och ”UID”. " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "Exempel: <SUBJECT>.*,DC=MIN,DC=DOMÄN" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 -msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." -msgstr "" -"Om sant kommer SSSD hämta varje regel som innehåller ett jokertecken i " -"attributet sudoHost." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "<ISSUER>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -"Att använda jokertecken är en operation som är väldigt dyr att evaluera på " -"LDAP-serversidan!" +"Med denna kan en del eller hela certifikatets issuer-namn matchas. Alla " +"kommentarer för <SUBJECT> är tillämpliga här också." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 -msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" -msgstr "" -"Denna manualsida beskriver endast attributnamnsöversättningar. För " -"detaljerade beskrivningar av semantiken hos sudo-relaterade attribut, se " -"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "Exempel: <ISSUER>^CN=Min-CA,DC=MIN,DC=DOMÄN$" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "AUTOFSALTERNATIV" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "<KU>nyckelanvändning" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -"Några av standardvärdena för parametrar nedan är beroende på LDAP-schemat." +"Detta alternativ kan användas för att specificera vilka " +"nyckelanvändningsvärden certifikatet skall ha. Följande värden kan användas " +"i en kommaseparerad lista:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" -msgstr "ldap_autofs_map_master_name (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "digitalSignature" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." -msgstr "Namnet på automount master-kartan i LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "nonRepudiation" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" -msgstr "Standard: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "dataEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." -msgstr "Objektklassen hos en automatmonteringskartepost i LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "keyAgreement" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" -msgstr "Standard: nisMap (rfc2307, autofs_provider=ad), annars automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "keyCertSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "cRLSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." -msgstr "Namnet på en automatmonteringskartepost i LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "encipherOnly" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 -msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" -msgstr "" -"Standard: nisMapName (rfc2307, autofs_provider=ad), annars automountMapName" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "decipherOnly" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -"Objektklassen hos en automatmonteringspost i LDAP. Posten motsvarar " -"vanligen en monteringspunkt." +"Ett numeriskt värde i intervallet hos ett 32-bitars teckenlöst heltal kan " +"användas också för att täcka speciella användningsfall." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" -msgstr "Standard: nisObject (rfc2307, autofs_provider=ad), annars automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "Exempel: <KU>digitalSignature,keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "<EKU>utökad-nyckel-användning" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -"Nyckeln till en automatmonteringspost i LDAP. Posten motsvarar vanligen en " -"monteringspunkt." +"Detta alternativ kan användas för att specificera vilka utökade-nyckel-" +"användningsvärden certifikatet skall ha. Följande värden kan användas i en " +"kommaseparerad lista:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" -msgstr "Standard: cn (rfc2307, autofs_provider=ad), annars automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "serverAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "clientAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "codeSigning" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "emailProtection" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "timeStamping" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "OCSPSigning" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "KPClientAuth" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "pkinit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "msScLogin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -"Standard: nisMapEntry (rfc2307, autofs_provider=ad), annars " -"automountInformation" +"Användningar av utökade nycklar som inte listas ovanför kan specificeras med " +"sina OID:er i punktad decimal notation." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "Exempel: <EKU>clientAuth,1.3.6.1.5.2.3.4" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "<SAN>reguljärt-uttryck" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"För att vara kompatibel med användningen av MIT Kerberos kommer detta " +"alternativ matcha Kerberos-huvudmän i PKINIT eller AD NT-Principal SAN som " +"<SAN:Principal> gör." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "AVANCERADE ALTERNATIV" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "Exempel: <SAN>.*@MITT\\.RIKE" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "<SAN:Principal>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "Matcha Kerberos-huvudmännen i PKINIT eller AD NT Principal " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "Exempel: <SAN:Principal>.*@MITT\\.RIKE" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" -msgstr "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "<SAN:ntPrincipalName>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." -msgstr "" -"Om alternativet <quote>ldap_use_tokengroups</quote> är aktiverat kommer " -"sökningarna i Active Directory inte vara begränsade och returnera alla " -"gruppmedlemskap, även utan någon GID-översättning. Det rekommenderas att " -"avaktivera denna funktion om gruppnamn inte visas korrekt." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "Matcha Kerberhos-huvudmän från AD NT Principal SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" -msgstr "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "Exempel: <SAN:ntPrincipalName>.*@MITT.AD.RIKE" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "<SAN:pkinit>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "Matcha Kerberos-huvudmän från PKINIT SAN." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "Exempel: <SAN:ntPrincipalName>.*@MITT\\.PKINIT\\.RIKE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "<SAN:dotted-decimal-oid>reguljärt-uttryck" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -"Dessa alternativ stödjs av LDAP-domäner, men de skall användas med " -"försiktighet. Inkludera dem endast i din konfiguration om du vet vad du " -"gör. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"Ta värdet från otherName SAN-komponenten som anges av OID:n i punktad " +"decimal notation, tolka den som en sträng och försök att matcha den mot det " +"reguljära uttrycket." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "EXEMPEL" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "Exempel: <SAN:1.2.3.4>test" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "<SAN:otherName>base64-sträng" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -"Följande exempel antar att SSSD är korrekt konfigurerat och att LDAP är satt " -"till en av domänerna i avsnittet <replaceable>[domains]</replaceable>." +"Gör en binär matchning med den base64-kodade klicken mot alla otherName SAN-" +"komponenter. Med detta alternativ är det möjligt att macha mot anpassade " +"otherName-komponenter med speciella kodningar som inte kan hanteras som " +"strängar." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" -msgstr "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mindomän.se\n" -"ldap_search_base = dc=mindomän,dc=se\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" - -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" -msgstr "LDAP-ÅTKOMSTFILTEREXEMPEL" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 -msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." -msgstr "" -"Följande exempel antar att SSSD är korrekt konfigurerat och att " -"ldap_access_order=lockout används." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "Exempel: <SAN:otherName>MTIz" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" -msgstr "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mindomän,dc=se\n" -"ldap_uri = ldap://ldap.mindomän.se\n" -"ldap_search_base = dc=mindomän,dc=se\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "<SAN:rfc822Name>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "NOTER" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "Matcha värdet på rfc822Name SAN." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 -msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." -msgstr "" -"Beskrivningarna av en del konfigurationsalternativ i denna manualsida är " -"baserade på manualsidan <citerefentry> <refentrytitle>ldap.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> från distributionen " -"OpenLDAP 2.4." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "Exempel: <SAN:rfc822Name>.*@epost\\.domän" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "<SAN:dNSName>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "PAM-modul för SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "Matcha värdet på dNSName SAN." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 -msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" -msgstr "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "Exempel: <SAN:dNSName>.*\\.min\\.dns\\.domän" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." -msgstr "" -"<command>pam_sss.so</command> är PAM-gränssnittet till System Security " -"Services daemon (SSSD). Fel och resultat loggas via <command>syslog(3)</" -"command> med funktionen LOG_AUTHPRIV." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "<SAN:x400Address>base64-sträng" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "Matcha binärt värdet på x400Address SAN." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "Umdertryck loggmeddelanden om okända användare." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "Exempel: <SAN:x400Address>MTIz" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "<SAN:directoryName>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -"Om <option>forward_pass</option> är satt läggs det inskrivna lösenordet på " -"stacken så att andra PAM-moduler kan använda det." +"Matcha värdet på directoryName SAN. Samma kommentarer som gavs för <" +"ISSUER> och <SUBJECT> gäller här också." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "Exempel: <SAN:directoryName>.*,DC=com" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 -msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." -msgstr "" -"Argumentet use_first_pass tvingar modulen att använda tidigare stackade " -"modulers lösenord och kommer aldrig fråga användaren – om inget lösenord är " -"tillgängligt eller lösenordet inte stämmer kommer användaren nekas åtkomst." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "<SAN:ediPartyName>base64-sträng" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "Matcha binärt värdet på ediPartyName SAN." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." -msgstr "" -"Vid lösenordsändring tvinga modulen till att sätta det nya lösenordet till " -"det som gavs av en tidigare stackad lösenordsmodul." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "Exempel: <SAN:ediPartyName>MTIz" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "<SAN:uniformResourceIdentifier>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 -msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." -msgstr "" -"Om angivet frågas användaren ytterligare N gånger om ett lösenord ifall " -"autentiseringen misslyckas. Standard är 0." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "Matcha värdet på uniformResourceIdentifier SAN." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 -msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." -msgstr "" -"Observera att detta alternativ kanske inte fungerar som förväntat ifall " -"programmet som anropar PAM hanterar användaredialogen själv. Ett typiskt " -"exempel är <command>sshd</command> med <option>PasswordAuthentication</" -"option>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" -msgstr "<option>ignore_unknown_user</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 -msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." -msgstr "" -"Om detta alternativ anges och användaren inte finns kommer PAM-modulen " -"returnera PAM_IGNORE. Detta får PAM-ramverket att ignorera denna modul." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" -msgstr "<option>ignore_authinfo_unavail</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 -msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." -msgstr "" -"Anger att PAM-modulen skall returnera PAM_IGNORE om det inte kan kontakta " -"SSSD-demonen. Detta får PAM-ramverket att ignorera denna modul." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" -msgstr "<option>domains</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 -msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." -msgstr "" -"Tillåter administratören att begränsa domänerna en viss PAM-tjänst tillåts " -"autentisera emot. Formatet är en kommaseparerad lista över SSSD-domännamn " -"som de specificeras i filen sssd.conf." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 -msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." -msgstr "" -"OBS: Måste användas tillsammans med flaggorna <quote>pam_trusted_users</" -"quote> och <quote>pam_public_domains</quote>. Se manualsidan <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> för mer information om dessa två PAM-respondentalternativ." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" -msgstr "<option>allow_missing_name</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 -msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." -msgstr "" -"Huvudsyftet med denna flagga är att låta SSSD avgöra användarnamnet baserat " -"på ytterligare information, t.ex. certifikatet från ett smartkort." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " -msgstr "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 -msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." -msgstr "" -"Det aktuella användningsfallet är inloggningshanterare som kan övervaka en " -"smartkortläsare om korthändelser. Ifall en smartkort sätts in kommer " -"inloggningshanteraren anropa en PAM-stack som innehåller en rad som " -"<placeholder type=\"programlisting\" id=\"0\"/> I detta fall kommer SSSD " -"färsäla avgära användarnamnet baserat på innehållet på smartkortet, " -"returnerar det till pam_sss som slutligen kommer läga det på PAM-stacken." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" -msgstr "<option>prompt_always</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 -msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." -msgstr "" -"Fråga alltid användaren om kreditiv. Med denna flagga kommer kreditiv " -"begärda av andra PAM-moduler, typiskt ett lösenord, ignoreras och pam_sss " -"kommer fråga efter kreditiv igen. Baserat på förautentiseringssvaret från " -"SSSD kan pam_sss komma att fråga efter ett lösenord, ett smartkorts-PIN " -"eller andra kreditiv." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" -msgstr "<option>try_cert_auth</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 -msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" -msgstr "" -"Försök använda certifikatbaserad smartkortsautentisering, d.v.s. " -"autentisering med smartkort eller liknande enheter. Om ett smartkort är " -"tillgängligt och tjänsten tillåter smartkortsautentisering kommer användaren " -"frågas om ett PIN och certifikatbaserad autentisering kommer fortsätta" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 -msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." -msgstr "" -"Om inget smartkort är tillgängligt eller certifikatbaserad autentisering " -"inte är tillåten för den aktuella tjänsten returneras PAM_AUTHINFO_UNAVAIL." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" -msgstr "<option>require_cert_auth</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." -msgstr "" -"Använd certifikatbaserad autentisering, d.v.s. autentisering med smartkort " -"eller liknande enheter. Om ett smartkort inte är tillgängligt ombeds " -"användaren att sätta in ett. SSSD kommer att vänta på ett smartkort tills " -"tidsgränsen definierad av p11_wait_for_card_timeout har passerats, se " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> för detaljer." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 -msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" -"Om inget smartkort är tillgängligt efter att tidsgränsen eller om " -"certifikatbaserad autentisering inte är tillåten för den aktuella tjänsten " -"returneras PAM_AUTHINFO_UNAVAIL." - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "TILLHANDAHÅLLNA MODULTYPER" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 -msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." -msgstr "" -"Alla modultyper (<option>account</option>, <option>auth</option>, " -"<option>password</option> och <option>session</option>) tillhandahålls." - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 -msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." -msgstr "" -"Om SSSD:s PAM-respondent inte kör, t.ex. om PAM-responentens uttag (socket) " -"inte är tillgängligt kommer pam_sss returnera PAM_USER_UNKNOWN när det " -"anropas som modulen <option>account</option> för att undvika problem med " -"användare från andra källor under åtkomstkontroll." - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "FILER" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." -msgstr "" -"Om en återställning av lösenord av root misslyckas, för att motsvarande SSSD-" -"leverantör inte stödjer återställning av lösenord, kan ett individuellt " -"meddelande visas. Detta meddelande kan t.ex. innehålla instruktioner hur " -"man återställer ett lösenord." - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 -msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." -msgstr "" -"Meddelandet läses från filen <filename>pam_sss_pw_reset_message.LOK</" -"filename> där LOK står för en lokalsträng som den returneras av " -"<citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" -"manvolnum> </citerefentry>. Om det inte finns någon matchande fil visas " -"innehållet i <filename>pam_sss_pw_reset_message.txt</filename>. Root måste " -"vara ägaren av filerna och endast root får ha läs- och skrivrättigheter " -"medan alla andra användare endast får ha läsrättigheter." - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 -msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." -msgstr "" -"Man letar efter dessa filer i katalogen <filename>/etc/sssd/customize/" -"DOMÄNNAMN/</filename>. Om ingen matchande fil finns visas ett allmänt " -"meddelande." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" -msgstr "Kerberos lokaliseringsinsticksmodul" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 -msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." -msgstr "" -"Kerberos lokaliseringsinsticksmodul <command>sssd_krb5_locator_plugin</" -"command> används av libkrb5 för att hitta KDC:er för ett givet Kerberos-" -"rike. SSSD tillhandahåller en sådan insticksmodul för att styra alla " -"Kerberos-klienter på ett system till en ensam KDC. I allmänhet skall det " -"inte ha någon betydelse vilken KDC en klientprocess pratar med. Men det " -"finns fall, t.ex. efter en lösenordsändring, då inte alla KDC:er är i samma " -"tillstånd för att den nya datan måste spridas först. För att undvika " -"oväntade autentiseringsfel och kanske även kontolåsningar kan det vara bra " -"att prata med en enskild KDC så länge som möjligt." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." -msgstr "" -"libkrb5 kommer söka efter lokaliseringsinsticksmodulen i underkatalogen " -"libkrb5 till Kerberos katalog för insticksmoduler, se plugin_base_dir i " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> för detaljer. Insticksmodulen kan endast " -"avaktiveras genom att ta bort filen med insticksmodulen. Det finns ingen " -"möjlighet att avaktivera den i Kerberos konfiguration. Men miljövariabeln " -"SSSD_KRB5_LOCATOR_DISABLE kan användas för att avaktivera insticksmodulen " -"för individuella kommandon. Alternativt kan SSSD-alternativet " -"krb5_use_kdcinfo=False användas för att inte generera de data som behövs av " -"insticksmodulen. Med denna anropas fortfarande intsticksmodulen men den " -"tillhandahåller inga data till anroparen så att libkrb5 kan falla tillbaka " -"på andra metoder som är definierade i krb5.conf." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 -msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" -msgstr "" -"Insticksmodulen läser information om KDC:erna för ett givet rike från en fil " -"som heter <filename>kdcinfo.RIKE</filename>. Filen skall innehålla ett " -"eller flera DNS-namn eller IP-adresser antingen i punktad decimal IPv4-" -"notation eller den hexadecimal IPv6-nodationen. Ett frivilligt portnummer " -"kan läggas till på slutet separerat av ett kolon, IPv6-adressen måste " -"inneslutas i hakparenteser i detta fall som vanligt. Giltiga poster är:" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" -msgstr "kdc.exempel.se" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" -msgstr "kdc.exempel.se:321" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" -msgstr "1.2.3.4" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" -msgstr "5.6.7.8:99" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" -msgstr "2001:db8:85a3::8a2e:370:7334" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" -msgstr "[2001:db8:85a3::8a2e:370:7334]:321" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 -msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." -msgstr "" -"SSSD:s krb5-autentiseringsleverantör som också används av IPA- och AD-" -"leverantörerna lägger till adresser till den aktuella KDC- eller " -"domänkontrollern SSSD använder till denna fil. " - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." -msgstr "" -"I miljöer med KDC:er som endast är för läsning och för läsning och skrivning " -"där klienter förväntas använda instanser endast för läsning för allmänna " -"operationer och endast KDC:n för läsning och skrivning för " -"konfigurationsändringar som lösenordsändringar används även en " -"<filename>kpasswdinfo.RIKE</filename> för att identifiera KDC:er för läsning " -"och skrivning. Om denna fill fins för det givna riket kommer innehållet " -"användas av insticksmodulen för att svara på begäranden om en kpasswd- eller " -"kadmin-server eller om den huvud-KDC:n spedifik för MIT Kerberos. Om " -"adressen innehåller ett portnummer kommer standard-KDC-porten 88 användas " -"för det senare." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." -msgstr "" -"Inte alla Kerberosimplementationer stödjer användningen av insticksmoduler. " -"Om <command>sssd_krb5_locator_plugin</command> inte är gilltänglig på ditt " -"system måste du redigera /etc/krb5.conf för att avspegla din " -"Kerberosuppsättning." - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." -msgstr "" -"Om miljövariabeln SSSD_KRB5_LOCATOR_DEBUG är satt till något värde kommer " -"felsökningsmeddelanden skrivas till standard fel." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "Exempel: <SAN:uniformResourceIdentifier>URN:.*" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." -msgstr "" -"Om miljövariabeln SSSD_KRB5_LOCATOR_DISABLE är satt till något värde " -"avaktiveras insticksmodulen och kommer bara returnera KRB5_PLUGIN_NO_HANDLE " -"till anroparen." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "<SAN:iPAddress>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 -msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." -msgstr "" -"Om miljövariabeln SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES är satt till något " -"värde kommer insticksmodulen försöka slå upp alla DNS-namn i filen kdcinfo. " -"Som standard returneras KRB5_PLUGIN_NO_HANDLE till anroparen omedelbart vid " -"den första misslyckade DNS-uppslagningen." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "Matcha värdet på iPAddress SAN." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "Exempel: <SAN:iPAddress>192\\.168\\..*" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" -msgstr "konfigurationsfilen för SSSD:s åtkomststyrningleverantör ”simple”" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "<SAN:registeredID>reguljärt-uttryck" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 -msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." -msgstr "" -"Denna manualsida besriver konfigurationen av åtkomststyrningsleverantören " -"simple till <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>. För en detaljerad referens om syntaxen, se " -"avsnittet <quote>FILFORMAT</quote> i manualsidan <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "Matcha värdet på registeredID SAN som punktad decimal sträng." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "Exempel: <SAN:registeredID>1\\.2\\.3\\..*" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Åtkomstleverantören simple tillåter eller nekar åtkomst baserat på en " -"åtkomst- eller nekandelista över användar- eller gruppnamn. Följande regler " -"är tillämpliga:" +"De tillgängliga alternativen är: <placeholder type=\"variablelist\" id=\"0\"/" +">" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Om alla listor är timma tillåts åtkomst" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "MAPPNINGSREGEL" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -"Om någon lista tillhandahålls är evalueringsordningen allow,deny. Detta " -"betyder att en deny-regel som matchar kommer gå före en eventuell matchande " -"allow-regel." +"Mappningsregeln används för att koppla ett certifikat med ett eller flera " +"konton. Ett smartkort med certifik och den matchande privata nyckeln kan då " +"användas för autentisering som ett av dessa konton." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -"Om antingen den ena eller båda ”tillåtelselistorna” tillhandahålls nekas " -"alla användare om de inte förekommer i listan." +"För närvarande stödjer SSSD egentligen bara LDAP för att slå upp " +"användarinformation (undantaget är proxy-leverantören som inte är relevant " +"här. På grund av detta är mappningsregeln baserad på syntaxen för LDAP-" +"sökfilter med mallar för att lägga till certifikatinnehåll till filtret. " +"Det antas att filtret endast kommer innehålla de specifika data som behövs " +"för mappningen och att anroparen kommer bädda in dem i ett annat filter för " +"att göra den egentliga sökningen. Därför skall filtersträngen börja och " +"sluta med ”(” respektive ”)”." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -"Om endast ”nekandelistor” tillhandahålls tillåts alla användare åtkomst om " -"de inte förekommer i listan." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (sträng)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." -msgstr "Kommaseparerad lista över användare som tillåts att logga in." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (sträng)" +"I allmänhet rekommenderas det att använda attribut från certifikatet och " +"lägga till dem till speciella attribut till LDAP-användarobjektet. T.ex. " +"kan attributet ”altSecurityIdentities” i AD eller attributet " +"”ipaCertMapData” i IPA användas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." -msgstr "Kommaseparerad lista över användare som explicit nekas åtkomst." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" +"Detta bör hellre användas än att läsa användarspecifik data från " +"certifikatet som t.ex. en e-postadress och söka efter den i LDAP-servern. " +"Anledningen är att användarspecifika data i LDAP kan ändras av olika " +"anledningar vilket skulle göra sönder mappningen. Å andra sidan skulle det " +"vara svårt att bryta mappningen avsiktligt för en specifik användare." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -"Kommaseparerad lista över grupper som tillåts logga in. Detta är endast " -"tillämpligt på grupper i denna SSSD-domän. Lokala grupper utvärderas inte." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (sträng)" +"Mallen kommer lägga till den fullständiga utgivar-DN:en konverterad till en " +"strän enligt RFC 4514. OM X.500-ordning (mest speccifik RDN kommer sist) " +"skall ett alternativ med prefixet ”_x500” användas." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -"Kommaseparerad lista över grupper som nekas åtkost. Detta är endast " -"tillämpligt på grupper i denna SSSD-domän. Lokala grupper utvärderas inte." +"Konverteringsalternativen som börjar med ”ad_” kommer använda attribut som " +"de används av AD, t.ex. ”S” istället för ”ST”." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -"Se <quote>DOMÄNSEKTIONER</quote> i manualsidan <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> för detaljer om konfigurationen av en SSSD-domän. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Konverteringsalternativen som börjar med ”nss_” kommer använda attributnamn " +"som de används av NSS." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -"Att inte ange några värden för någon av listorna är likvärdigt med att hoppa " -"över det helt. Var medveten om detta när parametrar genereras för " -"leverantören simple med automatiserade skript." +"Standard för konverteringsalternativ är ”nss”, d.v.s. attributnamn enligt " +"NSS och LDAP/RFC 4514-ordning." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -"Observera att det är ett konfigurationsfel om båda, simple_allow_users och " -"simple_deny_users, är definierade." +"Exempel: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se " -"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Dessa " -"exempel visar endast alternativ som är specifika för åtkomstleverantören " -"simple." +"Mallen kommer lägga till den fullständiga subjekt-DN:en konverterad till en " +"strän enligt RFC 4514. OM X.500-ordning (mest speccifik RDN kommer sist) " +"skall ett alternativ med prefixet ”_x500” användas." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -"[domain/exempel.se]\n" -"access_provider = simple\n" -"simple_allow_users = användare1, användare2\n" +"Exempel: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "{cert[!(bin|base64)]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -"Den fullständiga gruppmedlemsskapshierarkin löses upp före " -"åtkomstkontrollen, alltså kan även nästade grupper inkluderas i " -"åtkomstlistorna. Var medveten om att alternativet " -"<quote>ldap_group_nesting_level</quote> kan påverka resultaten och skall " -"sättas till ett tillräckligt värde. (<citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle><manvolnum>5</manvolnum> </citerefentry>)" +"Denna mall kommer lägga till hela det DER-kodade certifikatet som än sträng " +"till sökfiltret. Beroende på konverteringsalternativen konverteras antingen " +"certifikatet till en hex-sekvens med styrtecken ”\\xx” eller till base64. " +"Hex-strängen med styrtecken är standard och kan t.ex. användas med LDAP-" +"attributet ”userCertificate;binary”." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" -msgstr "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "Exempel: (userCertificate;binary={cert!bin})" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" -msgstr "SSSD:s certifikatmatchnings- och -mappningsregler" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "{subject_principal[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -"Manualsidan beskriver reglerna som kan användas av SSSD och andra " -"komponenter för att matcha X.509-certifikat och koppla dem till konton." +"Denna mall kommer lägga Kerberos-huvudmannen som hämtas antingen från den " +"SAN som används av pkinit eller den som används av AD. Komponenten " +"”short_name” representerar första delen av huvudmannen före tecknet ”@”." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -"Varje regel har fyra komponenter, en <quote>prioritet</quote>, en " -"<quote>matchningsregel</quote>, en <quote>mappningsregel</quote> och en " -"<quote>domänlista</quote>. Alla komponenter är frivilliga. En saknad " -"<quote>prioritet</quote> kommer lägga till regel med den lägsta " -"prioriteten. Standard-<quote>matchningsregeln</quote> kommer matcha " -"certifikat med digitalSignature-nyckelanvändning och clientAuth-" -"utökadnyckelanvändning. Om <quote>mappningsregeln</quote> är tom kommer " -"certifikaten sökas efter i attrubutet userCertificate som DER-kodade " -"binärer. Om inga domäner anges kommer endast den lokala domänen sökas." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" -msgstr "REGELKOMPONENTER" +"Exempel: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" -msgstr "PRIORITET" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "{subject_pkinit_principal[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -"Reglerna bearbetas i prioritetsordning där ”0” (noll) indikerar den högsta " -"prioriteten. Ju högre talet är desto lägre är prioriteten. Ett saknat " -"värde indikerar den lägsta prioriteten. Regelbearbetningen stoppas när en " -"regel som matchar hittas och inga ytterligare regler kontrolleras." +"Denna mall kommer lägga Kerberos-huvudmannen som hämtas från den SAN som " +"används av pkinit. Komponenten ”short_name” representerar första delen av " +"huvudmannen före tecknet ”@”." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -"Internt behandlas prioriteten som teckenlösa 32-bitars heltal, att använda " -"ett prioritetsvärde större än 4294967295 kommer orsaka ett fel." +"Exempel: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" -msgstr "MATCHNINGSREGEL" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "{subject_nt_principal[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -"Matchningsregeln används för att välja ett certifikat som " -"översättningsregeln skall tillämpas på. Det använder ett system liknande " -"det som används av alternativet <quote>pkinit_cert_match</quote> i MIT " -"Kerberos. Det består av ett nyckelord omgivet av ”<” och ”>” som " -"identifierar en specifik del av certifikatet och ett mönster som skall " -"finnas för att regeln skall matcha. Flera nyckelord/mönster-par kan " -"antingen sammanfogas med ”&&” (och) eller ”||” (eller)." +"Denna mall kommer lägga Kerberos-huvudmannen som hämtas från den SAN som " +"används av AD. Komponenten ”short_name” representerar första delen av " +"huvudmannen före tecknet ”@”." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" -msgstr "<SUBJECT>reguljärt-uttryck" +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "{subject_rfc822_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#: sss-certmap.5.xml:489 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -"Med denna kan en del eller hela certifikatets subject-namn matchas. För " -"matchningen används POSIX syntax för utökade reguljära uttryck, se regex(7) " -"för detaljer." +"Denna mall kommer lägga till strängen som lagras i komponenten rfc822Name " +"SAN:en, normalt en e-postadress. Komponenten ”short_name” representerar " +"första delen av huvudmannen före tecknet ”@”." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#: sss-certmap.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -"För matchningen konverteras subject-namnet lagrat i certifikatet i DER-kodad " -"ASN.1 till en sträng i enlighet med RFC 4514. Detta betyder att den mest " -"specifika namnkomponenten kommer först. Observera att inte alla möjliga " -"attributnamn täcks av RFC 4514. De inkluderade namnen är ”CN”, ”L”, ”ST”, " -"”O”, ”OU”, ”C”, ”STREET”, ”DC” och ”UID”. " +"Exempel: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "{subject_dns_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" -msgstr "Exempel: <SUBJECT>.*,DC=MIN,DC=DOMÄN" +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" +"Denna mall kommer lägga till strängen som lagras i komponenten dNSName SAN:" +"en, normalt ett fullständigt kvalificerat värdnamn. Komponenten " +"”short_name” representerar första delen av huvudmannen före det första ”.”-" +"tecknet." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" +"Exempel: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" -msgstr "<ISSUER>reguljärt-uttryck" +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "{subject_uri}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#: sss-certmap.5.xml:517 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -"Med denna kan en del eller hela certifikatets issuer-namn matchas. Alla " -"kommentarer för <SUBJECT> är tillämpliga här också." +"Denna mall kommer lägga till strängen som lagras i komponenten " +"uniformResourceIdentifier i SAN:en." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" -msgstr "Exempel: <ISSUER>^CN=Min-CA,DC=MIN,DC=DOMÄN$" +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "Exempel: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "<KU>nyckelanvändning" +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "{subject_ip_address}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#: sss-certmap.5.xml:529 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -"Detta alternativ kan användas för att specificera vilka " -"nyckelanvändningsvärden certifikatet skall ha. Följande värden kan användas " -"i en kommaseparerad lista:" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" -msgstr "digitalSignature" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" -msgstr "nonRepudiation" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" -msgstr "keyEncipherment" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" -msgstr "dataEncipherment" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" -msgstr "keyAgreement" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" -msgstr "keyCertSign" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" -msgstr "cRLSign" +"Denna mall kommer lägga till strängen som lagras i komponenten iPAddress i " +"SAN:en." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" -msgstr "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "Exempel: (ip={subject_ip_address})" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" -msgstr "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "{subject_x400_address}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#: sss-certmap.5.xml:541 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -"Ett numeriskt värde i intervallet hos ett 32-bitars teckenlöst heltal kan " -"användas också för att täcka speciella användningsfall." +"Denna mall kommer lägga till värdet som lagras i komponenten x400Address i " +"SAN:en som en hex-sekvens med styrtecken." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" -msgstr "Exempel: <KU>digitalSignature,keyEncipherment" +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "Exempel: (attr:binary={subject_x400_address})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" -msgstr "<EKU>utökad-nyckel-användning" +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#: sss-certmap.5.xml:554 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -"Detta alternativ kan användas för att specificera vilka utökade-nyckel-" -"användningsvärden certifikatet skall ha. Följande värden kan användas i en " -"kommaseparerad lista:" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" -msgstr "serverAuth" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "clientAuth" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" -msgstr "codeSigning" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" -msgstr "emailProtection" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" -msgstr "timeStamping" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" -msgstr "OCSPSigning" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" -msgstr "KPClientAuth" +"Denna mall kommer lägga till DN-strängen för värdet som lagras i komponenten " +"directoryName i SAN:en." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" -msgstr "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "Exempel: (orig_dn={subject_directory_name})" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" -msgstr "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "{subject_ediparty_name}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sss-certmap.5.xml:566 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -"Användningar av utökade nycklar som inte listas ovanför kan specificeras med " -"sina OID:er i punktad decimal notation." +"Denna mall kommer lägga till värdet som lagras i komponenten ediPartyName i " +"SAN:en som en hex-sekvens med styrtecken." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" -msgstr "Exempel: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "Exempel: (attr:binary={subject_ediparty_name})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" -msgstr "<SAN>reguljärt-uttryck" +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "{subject_registered_id}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sss-certmap.5.xml:579 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -"För att vara kompatibel med användningen av MIT Kerberos kommer detta " -"alternativ matcha Kerberos-huvudmän i PKINIT eller AD NT-Principal SAN som " -"<SAN:Principal> gör." +"Denna mall kommer lägga till OID:n som lagras i komponenten registeredID i " +"SAN:en som en punktad decimal sträng." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "Exempel: <SAN>.*@MITT\\.RIKE" +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "Exempel: (oid={subject_registered_id})" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" -msgstr "<SAN:Principal>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Mallarna för att lägga till certifikatdata till sökfiltret baseras på " +"formateringssträngar i Python-stil. De består av ett nyckelord i " +"krullparenteser med en valfri underkomponentspecificerare separerad av en " +"”.” eller ett valfri konverterings-/formateringsalternativ separerat av ett " +"”!”. Tillåtna värden är: <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." -msgstr "Matcha Kerberos-huvudmännen i PKINIT eller AD NT Principal " +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "DOMÄNLISTA" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" -msgstr "Exempel: <SAN:Principal>.*@MITT\\.RIKE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" +"Om domänlistan inte är tom söks inte användare mappade till ett givet " +"certifikat bara i den lokala domänen utan i de listade domänerna också " +"förutsatt att de är kända av SSSD. Domäner som SSSD inte känner till kommer " +"ignoreras." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" -msgstr "<SAN:ntPrincipalName>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." -msgstr "Matcha Kerberhos-huvudmän från AD NT Principal SAN." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "SSSD IPA-leverantör" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "Exempel: <SAN:ntPrincipalName>.*@MITT.AD.RIKE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Denna manualsida besriver konfigurationen av leverantören IPA till " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " +"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" -msgstr "<SAN:pkinit>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"IPA-leverantören är en bakände som används för att ansluta till en IPA-" +"server. (Se webbsidan freeipa.org för information om IPA-servrar.) " +"Leverantören förutsätter att maskinen är inlagt i IPA-domänen; " +"konfigurationen är nästan helt självupptäckande och hämtas direkt från " +"servern." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." -msgstr "Matcha Kerberos-huvudmän från PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" +"IPA-leverantören gör att SSSD kan använda identitetsleverantören " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> och autentiseringsleverantören <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> med optimeringar för IPA-miljöer. IPA-leverantören tar samma " +"alternativ som aänvänds av leverantörerna sssd-ldap och sssd-krb5 med några " +"undantag. Dock är det varken nödvändigt eller lämpligt att sätta dessa " +"alternativ." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" -msgstr "Exempel: <SAN:ntPrincipalName>.*@MITT\\.PKINIT\\.RIKE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" +"IPA-leverantören kopierar i huvudsak standardalternativen för de " +"traditionella leverantörerna ldap och krb5 med några undantag. Skillnaderna " +"listas i avsnittet <quote>ÄNDRADE STANDARDINSTÄLLNINGAR</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" -msgstr "<SAN:dotted-decimal-oid>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" +"Som en åtkomstleverantör använder leverantören IPA HBAC-regler (host-based " +"access control, värdbaserad åtkomstkontroll). Se freeipa.org för mer " +"information om HBAC. Ingen konfiguration av åtkomstleverantören behövs på " +"klientsidan." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -"Ta värdet från otherName SAN-komponenten som anges av OID:n i punktad " -"decimal notation, tolka den som en sträng och försök att matcha den mot det " -"reguljära uttrycket." +"Om <quote>auth_provider=ipa</quote> eller <quote>access_provider=ipa</quote> " +"konfigureras i sssd.conf måste id-leverantören också sättas till <quote>ipa</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" -msgstr "Exempel: <SAN:1.2.3.4>test" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" +"IPA-leverantörer kommer använda PAC-respondenten om Kerberos-biljetter för " +"användare för betrodda riken innehåller en PAC. För att göra " +"konfigurationen enklare startas PAC-respondenten automatiskt om ID-" +"leverantören IPA är konfigurerad." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" -msgstr "<SAN:otherName>base64-sträng" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -"Gör en binär matchning med den base64-kodade klicken mot alla otherName SAN-" -"komponenter. Med detta alternativ är det möjligt att macha mot anpassade " -"otherName-komponenter med speciella kodningar som inte kan hanteras som " -"strängar." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" -msgstr "Exempel: <SAN:otherName>MTIz" +"Anger namnet på IPA-domänen. Detta är frivilligt. Om det inte anges " +"används namnet på den konfigurerade domänen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" -msgstr "<SAN:rfc822Name>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." -msgstr "Matcha värdet på rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Den kommaseparerade listan av IP-adresser eller värdnamn till IPA-servrar " +"till vilka SSSD skall ansluta i prioritetsordning. För mer information om " +"reserver och serverredundans se avsnittet <quote>RESERVER</quote>. Detta är " +"frivilligt om autodiscovery är aktiverat. För mer information " +"tjänsteupptäckt, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" -msgstr "Exempel: <SAN:rfc822Name>.*@epost\\.domän" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" -msgstr "<SAN:dNSName>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" +"Valfri. Kan sättas på maskiner där hostname(5) inte avspeglar det " +"fullständigt kvalificerade namnet som används i IPA-domänen för att " +"identifiera denna värd. Värdnamnet måste vara fullständigt kvalificerat." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." -msgstr "Matcha värdet på dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (boolean)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" -msgstr "Exempel: <SAN:dNSName>.*\\.min\\.dns\\.domän" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" +"Valfritt. Detta alternativ säger till SSSD att automatiskt uppdatera DNS-" +"servern som är inbyggd i FreeIPA med IP-adressen för denna klient. " +"Uppdateringen säkras med GSS-TSIG. IP-adressen för IPA-LDAP-förbindelsen " +"används för uppdateringar, om det inte specificeras på annat sätt med " +"alternativet <quote>dyndns_iface</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" -msgstr "<SAN:x400Address>base64-sträng" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"OBS: på äldre system (såsom RHEL 5) måste standardriket för Kerberos sättas " +"i /etc/krb5.conf för att detta beteende skall fungera pålitligt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." -msgstr "Matcha binärt värdet på x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" +"OBS: även om det fortfarande är möjligt att använda det gamla alternativet " +"<emphasis>ipa_dyndns_update</emphasis> bör användare migrera till att " +"använda <emphasis>dyndns_update</emphasis> i sin konfigurationsfil." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" -msgstr "Exempel: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (heltal)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" -msgstr "<SAN:directoryName>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" +"TTL:en att använda för klientens DNS-post vid uppdatering. Om dyndns_update " +"är falsk har detta ingen effekt. Detta kommer åsidosätta TTL på serversidan " +"om det är satt av en administratör." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -"Matcha värdet på directoryName SAN. Samma kommentarer som gavs för <" -"ISSUER> och <SUBJECT> gäller här också." +"OBS: även om det fortfarande är möjligt att använda det gamla alternativet " +"<emphasis>ipa_dyndns_ttl</emphasis> bör användare migrera till att använda " +"<emphasis>dyndns_ttl</emphasis> i sin konfigurationsfil." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" -msgstr "Exempel: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Default: 1200 (sekunder)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" -msgstr "<SAN:ediPartyName>base64-sträng" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." -msgstr "Matcha binärt värdet på ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" +"Valfri. Endast tillämpligt när dyndns_update är sann. Väl gränssnittet " +"eller en lista av gränssnitt vars IP-adresser skall användas för dynamiska " +"DNS-uppdateringar. Specialvärdet <quote>*</quote> betyder att IP:n från " +"alla gränssnitt skall användas." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" -msgstr "Exempel: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" +"OBS: även om det fortfarande är möjligt att använda det gamla alternativet " +"<emphasis>ipa_dyndns_iface</emphasis> bör användare migrera till att använda " +"<emphasis>dyndns_iface</emphasis> i sin konfigurationsfil." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" -msgstr "<SAN:uniformResourceIdentifier>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" +"Standard: använd IP-adresser för gränssnittet som används för IPA LDAP-" +"förbindelsen" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." -msgstr "Matcha värdet på uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "Exempel: dyndns_iface = em1, vnet1, vnet2" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" -msgstr "Exempel: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" +msgstr "dyndns_auth (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" -msgstr "<SAN:iPAddress>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" +"Huruvida verktyget nsupdate skall använda GSS-TSIG-autentisering för säkra " +"uppdateringar av DNS-servern, osäkra uppdateringar kan skickas genom att " +"sätta detta alternativ till ”none”." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." -msgstr "Matcha värdet på iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" +msgstr "Standard: GSS-TSIG" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" -msgstr "Exempel: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (boolean)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" -msgstr "<SAN:registeredID>reguljärt-uttryck" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "Aktiverar DNS-sajter – platsbaserat tjänsteupptäckt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." -msgstr "Matcha värdet på registeredID SAN som punktad decimal sträng." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" +"Om sant och tjänsteupptäckt (se stycket Tjänsteupptäckt i slutet av " +"manualsidan) är aktiverat kommer SSSD först att försöka med platsbaserad " +"upptäckt med en fråga som innehåller ”_location.hostname.example.com” och " +"sedan falla tillbaka på traditionell SRV-upptäckt. Om platsbaserad upptäckt " +"lyckas betraktas IPA-servrarna som lokaliserats med platsbaserad upptäckt " +"som primära servrar och IPA-servrarna som hittas med den traditionenlla SRV-" +"upptäckten används som backup-servrar." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" -msgstr "Exempel: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (heltal)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -"De tillgängliga alternativen är: <placeholder type=\"variablelist\" id=\"0\"/" -">" +"Hur ofta bakänden skall utföra periodiska DNS-uppdateringar utöver den " +"automatiska uppdateringen som utförs när bakänden kopplar upp. Detta " +"alternativ är valfritt och tillämpligt endast när dyndns_update är sann." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" -msgstr "MAPPNINGSREGEL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (bool)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -"Mappningsregeln används för att koppla ett certifikat med ett eller flera " -"konton. Ett smartkort med certifik och den matchande privata nyckeln kan då " -"användas för autentisering som ett av dessa konton." +"Huruvida PTR-posten också skall uppdateras explicit när klientens DNS-post " +"uppdateras. Tillämpligt endast när dyndsn_update är sann." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -"För närvarande stödjer SSSD egentligen bara LDAP för att slå upp " -"användarinformation (undantaget är proxy-leverantören som inte är relevant " -"här. På grund av detta är mappningsregeln baserad på syntaxen för LDAP-" -"sökfilter med mallar för att lägga till certifikatinnehåll till filtret. " -"Det antas att filtret endast kommer innehålla de specifika data som behövs " -"för mappningen och att anroparen kommer bädda in dem i ett annat filter för " -"att göra den egentliga sökningen. Därför skall filtersträngen börja och " -"sluta med ”(” respektive ”)”." +"Detta alternativ är False i de flesta IPA-installationer eftersom IPA-" +"servern genererar PTR-posterna automatiskt när framåtposterna ändras." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Standard: False (avaktiverat)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" +"Huruvida nsupdate-verktyget som standard skall använda TCP för kommunikation " +"med DNS-servern." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Standard: False (låt nsupdate välja protokollet)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" +msgstr "dyndns_server (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -"I allmänhet rekommenderas det att använda attribut från certifikatet och " -"lägga till dem till speciella attribut till LDAP-användarobjektet. T.ex. " -"kan attributet ”altSecurityIdentities” i AD eller attributet " -"”ipaCertMapData” i IPA användas." +"DNS-servern som skall användas när en uppdatering av DNS utförs. I de " +"flesta uppsättningar rekommenderas det att låta detta alternativ vara osatt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -"Detta bör hellre användas än att läsa användarspecifik data från " -"certifikatet som t.ex. en e-postadress och söka efter den i LDAP-servern. " -"Anledningen är att användarspecifika data i LDAP kan ändras av olika " -"anledningar vilket skulle göra sönder mappningen. Å andra sidan skulle det " -"vara svårt att bryta mappningen avsiktligt för en specifik användare." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Att sätta detta alternativ är meningsfullt i miljöer där DNS-servern är " +"skild från identitetsservern." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -"Mallen kommer lägga till den fullständiga utgivar-DN:en konverterad till en " -"strän enligt RFC 4514. OM X.500-ordning (mest speccifik RDN kommer sist) " -"skall ett alternativ med prefixet ”_x500” användas." +"Observera att detta alternativ bara kommer användas i försök att falla " +"tillbaka på när tidigare försök som använder automatiskt upptäckta " +"inställningar misslyckas." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" +msgstr "Standard: Ingen (låt nsupdate välja servern)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" +msgstr "dyndns_update_per_family (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -"Konverteringsalternativen som börjar med ”ad_” kommer använda attribut som " -"de används av AD, t.ex. ”S” istället för ”ST”." +"DNS-uppdateringar utförs som standard i två steg – IPv4-uppdatering och " +"sedan IPv6-uppdatering. I några fall kan det vara önskvärt att utföra " +"IPv4- och IPv6-uppdateringar i ett enda steg." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" +msgstr "ipa_deskprofile_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -"Konverteringsalternativen som börjar med ”nss_” kommer använda attributnamn " -"som de används av NSS." +"Frivillig. Använd den givna strängen som sökbas för " +"skrivbordsprofilrelaterade objekt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 -msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Standard: använd bas-DN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" -"Standard för konverteringsalternativ är ”nss”, d.v.s. attributnamn enligt " -"NSS och LDAP/RFC 4514-ordning." +"Frivillig. Använd den givna strängen som sökbas för HBAC-relaterade objekt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "Undanbedes. Använd ldap_host_search_base istället." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" -"Exempel: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Frivillig. Använd den givna strängen som en sökbas för SELinux-" +"användaröversättningar." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"Frivillig. Använd den givna strängen som en sökbas för betrodda domäner." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Standard: värdet på <emphasis>cn=trusts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" +"Frivillig. Använd den givna strängen som en sökbas för huvuddomänobjekt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Standard: värdet av <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." +msgstr "Frivillig. Använd den givna strängen som en sökbas för vybehållare." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "Standard: värdet av <emphasis>cn=views,cn=accounts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -"Mallen kommer lägga till den fullständiga subjekt-DN:en konverterad till en " -"strän enligt RFC 4514. OM X.500-ordning (mest speccifik RDN kommer sist) " -"skall ett alternativ med prefixet ”_x500” användas." +"Namnet på Kerberos-riket. Detta är frivilligt och som standard blir det " +"värdet av <quote>ipa_domain</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -"Exempel: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"Namnet på Kerberos-riket har en speciell betydelse i IPA – det konverteras " +"till bas-DN:en för att användas när LDAP-operationer utförs." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" -msgstr "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -"Denna mall kommer lägga till hela det DER-kodade certifikatet som än sträng " -"till sökfiltret. Beroende på konverteringsalternativen konverteras antingen " -"certifikatet till en hex-sekvens med styrtecken ”\\xx” eller till base64. " -"Hex-strängen med styrtecken är standard och kan t.ex. användas med LDAP-" -"attributet ”userCertificate;binary”." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" -msgstr "Exempel: (userCertificate;binary={cert!bin})" +"Absolut sökväg till en katalog där SSSD skall placera konfigurtionsstycken " +"för Kerberos." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" -msgstr "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" +"För att förhindra att konfigurationsstycken skapas, sätt parametern till " +"”none”." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -"Denna mall kommer lägga Kerberos-huvudmannen som hämtas antingen från den " -"SAN som används av pkinit eller den som används av AD. Komponenten " -"”short_name” representerar första delen av huvudmannen före tecknet ”@”." +"Standard: inte satt (underkatalogen krb5.include.d till SSSD:s pubconf-" +"katalog)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "ipa_deskprofile_refresh (heltal)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -"Exempel: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"Tiden mellan uppslagningar av skrivbordsprofilsregler mot IPA-servern. " +"Detta kommer reducera tidsfördröjningen och lasten på IPA-servern om det " +"görs många begäranden om skrivbordsprofiler under en kort tid." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" -msgstr "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "Standard: 5 (sekunder)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "ipa_deskprofile_request_interval (heltal)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -"Denna mall kommer lägga Kerberos-huvudmannen som hämtas från den SAN som " -"används av pkinit. Komponenten ”short_name” representerar första delen av " -"huvudmannen före tecknet ”@”." +"Tiden mellan uppslagningar av skrivbordsprofilsregler mot IPA-servern ifall " +"den senaste förfrågan inte returnerade någon regel" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" +msgstr "Standard: 60 (minuter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (heltal)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -"Exempel: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"Tiden mellan uppslagningar av HBAC-regler mot IPA-servern. Detta kommer " +"reducera tidsfördröjningen och lasten på IPA-servern om det görs många " +"begäranden om åtkomstkontroll under en kort tid." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" -msgstr "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (heltal)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -"Denna mall kommer lägga Kerberos-huvudmannen som hämtas från den SAN som " -"används av AD. Komponenten ”short_name” representerar första delen av " -"huvudmannen före tecknet ”@”." +"Tiden mellan uppslagningar av SELinux-översättningar mot IPA-servern. Detta " +"kommer reducera tidsfördröjningen och lasten på IPA-servern om det görs " +"många begäranden om användarinloggningar under en kort tid." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" -msgstr "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (boolean)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -"Denna mall kommer lägga till strängen som lagras i komponenten rfc822Name " -"SAN:en, normalt en e-postadress. Komponenten ”short_name” representerar " -"första delen av huvudmannen före tecknet ”@”." +"Detta alternativ sätts automatiskt av IPA-installeraren (ipa-server-install) " +"och markerar om SSSD kör på en IPA-server eller inte." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -"Exempel: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"På en IPA-server kommer SSSD slå upp användare och grupper från betrodda " +"domäner direkt medan på en klient kommer den att fråga en IPA-server." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" -msgstr "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" +"OBS: det finns för närvarande några antagenden som måste uppfyllas när SSSD " +"kör på en IPA-server." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -"Denna mall kommer lägga till strängen som lagras i komponenten dNSName SAN:" -"en, normalt ett fullständigt kvalificerat värdnamn. Komponenten " -"”short_name” representerar första delen av huvudmannen före det första ”.”-" -"tecknet." +"Alternativet <quote>ipa_server</quote> måste konfigureras till att peka på " +"själva IPA-servern. Detta är redan standardvärdet som sätts av IPA-" +"installeraren, så det behövs inga manuella ändringar." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -"Exempel: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"Alternativet <quote>full_name_format</quote> får inte ändras till att bara " +"skriva korta namn på användare från betrodda domäner." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" +msgstr "Automonteringsplatsen denna IPA-klient kommer använda" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" +msgstr "Standard: platsen som heter ”default”" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" +msgstr "VYER OCH ÅSIDOSÄTTANDEN" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" -msgstr "{subject_uri}" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 -msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." -msgstr "" -"Denna mall kommer lägga till strängen som lagras i komponenten " -"uniformResourceIdentifier i SAN:en." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." +msgstr "Objektklass för vybehållaren." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" -msgstr "Exempel: (uri={subject_uri})" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" +msgstr "Standard: nsContainer" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" -msgstr "{subject_ip_address}" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 -msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." -msgstr "" -"Denna mall kommer lägga till strängen som lagras i komponenten iPAddress i " -"SAN:en." +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." +msgstr "Namn på attributet som har namnet på vyn." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" -msgstr "Exempel: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Standard: cn" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" -msgstr "{subject_x400_address}" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" +msgstr "ipa_override_object_class (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 -msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." -msgstr "" -"Denna mall kommer lägga till värdet som lagras i komponenten x400Address i " -"SAN:en som en hex-sekvens med styrtecken." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." +msgstr "Objektklass för åsidosättande objekt." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" -msgstr "Exempel: (attr:binary={subject_x400_address})" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" +msgstr "Standard: ipaOverrideAnchor" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 -msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#: sssd-ipa.5.xml:643 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" -"Denna mall kommer lägga till DN-strängen för värdet som lagras i komponenten " -"directoryName i SAN:en." +"Namn på attributet som innehåller referensen till originalobjektet i en " +"fjärrdomän." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" -msgstr "Exempel: (orig_dn={subject_directory_name})" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" +msgstr "Standard: ipaAnchorUUID" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" -msgstr "{subject_ediparty_name}" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#: sssd-ipa.5.xml:656 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -"Denna mall kommer lägga till värdet som lagras i komponenten ediPartyName i " -"SAN:en som en hex-sekvens med styrtecken." +"Namn på objektklassen för användaråsidosättanden. Det används för att " +"avgöra om det funna åsidosättande objektet är relaterat till en användare " +"eller en grupp." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" -msgstr "Exempel: (attr:binary={subject_ediparty_name})" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" +msgstr "Användaråsidosättanden kan innehålla attribut givna av" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" +msgstr "ldap_user_name" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" +msgstr "ldap_user_uid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" +msgstr "ldap_user_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" +msgstr "ldap_user_gecos" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" +msgstr "ldap_user_home_directory" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" +msgstr "ldap_user_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" +msgstr "ldap_user_ssh_public_key" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" +msgstr "Standard: ipaUserOverride" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" -msgstr "{subject_registered_id}" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (sträng)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#: sssd-ipa.5.xml:696 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -"Denna mall kommer lägga till OID:n som lagras i komponenten registeredID i " -"SAN:en som en punktad decimal sträng." +"Namn på objektklassen för gruppåsidosättanden. Det används för att avgöra " +"om det funna åsidosättandeobjektet är relaterat till en användare eller en " +"grupp." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" -msgstr "Exempel: (oid={subject_registered_id})" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" +msgstr "Gruppåsidosättanden kan innehålla attribut givna av" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 -msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" -"Mallarna för att lägga till certifikatdata till sökfiltret baseras på " -"formateringssträngar i Python-stil. De består av ett nyckelord i " -"krullparenteser med en valfri underkomponentspecificerare separerad av en " -"”.” eller ett valfri konverterings-/formateringsalternativ separerat av ett " -"”!”. Tillåtna värden är: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "ldap_group_name" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" -msgstr "DOMÄNLISTA" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" +msgstr "ldap_group_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" +msgstr "Standard: ipaGroupOverride" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#: sssd-ipa.5.xml:596 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -"Om domänlistan inte är tom söks inte användare mappade till ett givet " -"certifikat bara i den lokala domänen utan i de listade domänerna också " -"förutsatt att de är kända av SSSD. Domäner som SSSD inte känner till kommer " -"ignoreras." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" +"SSSD kan hantera vyer och åsidosättanden som erbjuds av FreeIPA 4.1 och " +"senare versioner. Eftersom alla sökvägar och objektklasser är fasta på " +"serversidan finns det egentligen inget behov av att konfigurera något. För " +"fullständighets skull är de tillhörande alternativen listade här med sina " +"standardvärden. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" -msgstr "SSSD IPA-leverantör" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" +msgstr "UNDERDOMÄNLEVERANTÖR" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#: sssd-ipa.5.xml:726 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -"Denna manualsida besriver konfigurationen av leverantören IPA till " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " -"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"IPA-underomänleverantören beter sig något annorlunda om den konfigureras " +"explicit eller implicit." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#: sssd-ipa.5.xml:730 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -"IPA-leverantören är en bakände som används för att ansluta till en IPA-" -"server. (Se webbsidan freeipa.org för information om IPA-servrar.) " -"Leverantören förutsätter att maskinen är inlagt i IPA-domänen; " -"konfigurationen är nästan helt självupptäckande och hämtas direkt från " -"servern." +"Om alternativet ”subdomains_provider = ipa” finns i domänavsnittet i sssd." +"conf konfigureras IPA-underdomänsleverantören explicit, och alla begäranden " +"tav underdomäner skickas till IPA-servern om nödvändigt." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#: sssd-ipa.5.xml:736 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -"IPA-leverantören gör att SSSD kan använda identitetsleverantören " -"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> och autentiseringsleverantören <citerefentry> " -"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> med optimeringar för IPA-miljöer. IPA-leverantören tar samma " -"alternativ som aänvänds av leverantörerna sssd-ldap och sssd-krb5 med några " -"undantag. Dock är det varken nödvändigt eller lämpligt att sätta dessa " -"alternativ." +"Om alternativet ”subdomains_provider” inte är satt i domänavsnittet av sssd." +"conf men alternativet ”id_provider = ipa” finns konfigureras IPA-" +"underdomänsleverantören implicit. I det fallet, om en underdomänsbegäran " +"misslyckas och indikerar att servern inte stödjer underdomäner, d.v.s. den " +"är inte konfigurerad för förtroenden, avaktiveras IPA-" +"underdomänsleverantören. Efter en timma eller efter att IPA-leverantören " +"blir uppkopplad aktiveras underdomänsleverantören igen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "KONFIGURATION AV BETRODDA DOMÄNER" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -"IPA-leverantören kopierar i huvudsak standardalternativen för de " -"traditionella leverantörerna ldap och krb5 med några undantag. Skillnaderna " -"listas i avsnittet <quote>ÄNDRADE STANDARDINSTÄLLNINGAR</quote>." +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#: sssd-ipa.5.xml:749 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Som en åtkomstleverantör använder leverantören IPA HBAC-regler (host-based " -"access control, värdbaserad åtkomstkontroll). Se freeipa.org för mer " -"information om HBAC. Ingen konfiguration av åtkomstleverantören behövs på " -"klientsidan." +"Några konfigurationsalternativ kan även sättas för en betrodd domän. En " +"konfiguration av en betrodd domän kan antingen göras med ett underavsnitt, " +"till exempel: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#: sssd-ipa.5.xml:758 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Om <quote>auth_provider=ipa</quote> eller <quote>access_provider=ipa</quote> " -"konfigureras i sssd.conf måste id-leverantören också sättas till <quote>ipa</" -"quote>." +"Dessutom kan några alternativ sättas i föräldradomänen och ärvas av den " +"betrodda domänen med alternativet <quote>subdomain_inherit</quote>. För " +"fler detaljer, se manualsidan <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#: sssd-ipa.5.xml:768 msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -"IPA-leverantörer kommer använda PAC-respondenten om Kerberos-biljetter för " -"användare för betrodda riken innehåller en PAC. För att göra " -"konfigurationen enklare startas PAC-respondenten automatiskt om ID-" -"leverantören IPA är konfigurerad." +"Olika konfigurationsalternativ kan ställas in för en betrodd domän beroende " +"på huruvida man konfigurerar SSSD på en IPA-server eller en IPA-klient." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "ALTERNATIV ATT STÄLLA IN PÅ IPA-MASTRAR" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -"Anger namnet på IPA-domänen. Detta är frivilligt. Om det inte anges " -"används namnet på den konfigurerade domänen." +"Följande alternativ kan sättas i ett underdomänsavsnitt på en IPA-master:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" +msgstr "ad_server" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 -msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." -msgstr "" -"Den kommaseparerade listan av IP-adresser eller värdnamn till IPA-servrar " -"till vilka SSSD skall ansluta i prioritetsordning. För mer information om " -"reserver och serverredundans se avsnittet <quote>RESERVER</quote>. Detta är " -"frivilligt om autodiscovery är aktiverat. För mer information " -"tjänsteupptäckt, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" +msgstr "ad_backup_server" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" +msgstr "ad_site" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." -msgstr "" -"Valfri. Kan sättas på maskiner där hostname(5) inte avspeglar det " -"fullständigt kvalificerade namnet som används i IPA-domänen för att " -"identifiera denna värd. Värdnamnet måste vara fullständigt kvalificerat." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" +msgstr "ldap_search_base" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" -msgstr "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "ALTERNATIV ATT STÄLLA IN PÅ IPA-KLIENTER" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -"Valfritt. Detta alternativ säger till SSSD att automatiskt uppdatera DNS-" -"servern som är inbyggd i FreeIPA med IP-adressen för denna klient. " -"Uppdateringen säkras med GSS-TSIG. IP-adressen för IPA-LDAP-förbindelsen " -"används för uppdateringar, om det inte specificeras på annat sätt med " -"alternativet <quote>dyndns_iface</quote>." +"Följande alternativ kan sättas i ett underdomänsavsnitt på en IPA-klient:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -"OBS: på äldre system (såsom RHEL 5) måste standardriket för Kerberos sättas " -"i /etc/krb5.conf för att detta beteende skall fungera pålitligt." +"Observera att om bådda alternativen sätts evalueras endast <quote>ad_server</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -"OBS: även om det fortfarande är möjligt att använda det gamla alternativet " -"<emphasis>ipa_dyndns_update</emphasis> bör användare migrera till att " -"använda <emphasis>dyndns_update</emphasis> i sin konfigurationsfil." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" -msgstr "dyndns_ttl (heltal)" +"Eftersom alla begäranden om en användar- eller en gruppidentitet från en " +"betrodd domän startad från en IPA-klient löses upp av IPA-servern, påverkar " +"alternativen <quote>ad_server</quote> och <quote>ad_site</quote> bara vilken " +"AD DC autentiseringen kommer utföras emot. I synnerhet kommer adresserna " +"som löses upp från dessa listor att skrivas till <quote>kdcinfo</quote>-" +"filer som läses av Kerberos-lokaliseringinsticksmodulen. För fler detaljer " +"om Kerberos-lokaliseringsinsticksmodulen hänvisas till manualsidan " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -"TTL:en att använda för klientens DNS-post vid uppdatering. Om dyndns_update " -"är falsk har detta ingen effekt. Detta kommer åsidosätta TTL på serversidan " -"om det är satt av en administratör." +"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se " +"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Dessa " +"exempel visar endast alternativ som är specifika för leverantören ipa." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -"OBS: även om det fortfarande är möjligt att använda det gamla alternativet " -"<emphasis>ipa_dyndns_ttl</emphasis> bör användare migrera till att använda " -"<emphasis>dyndns_ttl</emphasis> i sin konfigurationsfil." +"[domain/exemple.se]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.exempel.se\n" +"ipa_hostname = minvärd.exempel.se\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "Default: 1200 (sekunder)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "dyndns_iface (sträng)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "SSSD Active Directory-leverantör" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Denna manualsida besriver konfigurationen av leverantören AD till " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " +"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -"Valfri. Endast tillämpligt när dyndns_update är sann. Väl gränssnittet " -"eller en lista av gränssnitt vars IP-adresser skall användas för dynamiska " -"DNS-uppdateringar. Specialvärdet <quote>*</quote> betyder att IP:n från " -"alla gränssnitt skall användas." +"Leverantören AD är en bakände som används för att ansluta till en Active " +"Directory-server. Leverantören att maskinen läggs in i AD-domänen och en " +"keytab är tillgänlig. Bakändekommunikationen sker över en GSSAPI-krypterad " +"kanal, SSL/TLS-alternativ skall inte användas tillsammans med AD-" +"leverantören och kommer ersättas av Kerberos-användning." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -"OBS: även om det fortfarande är möjligt att använda det gamla alternativet " -"<emphasis>ipa_dyndns_iface</emphasis> bör användare migrera till att använda " -"<emphasis>dyndns_iface</emphasis> i sin konfigurationsfil." +"AD-leverantören stödjer anslutning till Active Directory 2008 R2 eller " +"senare. Tidigare versioner kan fungera, men stödjs inte." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -"Standard: använd IP-adresser för gränssnittet som används för IPA LDAP-" -"förbindelsen" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" -msgstr "Exempel: dyndns_iface = em1, vnet1, vnet2" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" -msgstr "dyndns_auth (sträng)" +"AD-leverantören kan användas för att få användarinformation och autentisera " +"användare från betrodda domäner. För närvarande känns endast betrodda " +"domäner i samma skog igen. Dessutom automatupptäcks alltid servrar från " +"betrodda domäner." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -"Huruvida verktyget nsupdate skall använda GSS-TSIG-autentisering för säkra " -"uppdateringar av DNS-servern, osäkra uppdateringar kan skickas genom att " -"sätta detta alternativ till ”none”." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" -msgstr "Standard: GSS-TSIG" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" -msgstr "ipa_enable_dns_sites (boolean)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." -msgstr "Aktiverar DNS-sajter – platsbaserat tjänsteupptäckt." +"AD-leverantören gör att SSSD kan använda identitetsleverantören " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> och autentiseringsleverantören <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> med optimeringar för Active Directory-miljöer. AD-" +"leverantören tar samma alternativ som aänvänds av leverantörerna sssd-ldap " +"och sssd-krb5 med några undantag. Dock är det varken nödvändigt eller " +"lämpligt att sätta dessa alternativ." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -"Om sant och tjänsteupptäckt (se stycket Tjänsteupptäckt i slutet av " -"manualsidan) är aktiverat kommer SSSD först att försöka med platsbaserad " -"upptäckt med en fråga som innehåller ”_location.hostname.example.com” och " -"sedan falla tillbaka på traditionell SRV-upptäckt. Om platsbaserad upptäckt " -"lyckas betraktas IPA-servrarna som lokaliserats med platsbaserad upptäckt " -"som primära servrar och IPA-servrarna som hittas med den traditionenlla SRV-" -"upptäckten används som backup-servrar." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" -msgstr "dyndns_refresh_interval (heltal)" +"AD-leverantören kopierar i huvudsak standardalternativen för de " +"traditionella leverantörerna ldap och krb5 med några undantag. Skillnaderna " +"listas i avsnittet <quote>ÄNDRADE STANDARDINSTÄLLNINGAR</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -"Hur ofta bakänden skall utföra periodiska DNS-uppdateringar utöver den " -"automatiska uppdateringen som utförs när bakänden kopplar upp. Detta " -"alternativ är valfritt och tillämpligt endast när dyndns_update är sann." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" -msgstr "dyndns_update_ptr (bool)" +"AD-leverantören kan även användas som en åtkomst-, chpass-, sudo- och autofs-" +"leverantör. Ingen konfiguration av åtkomstleverantören behövs på " +"klientsidan." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -"Huruvida PTR-posten också skall uppdateras explicit när klientens DNS-post " -"uppdateras. Tillämpligt endast när dyndsn_update är sann." +"Om <quote>auth_provider=ad</quote> eller <quote>access_provider=ad</quote> " +"konfigureras i sssd.conf måste id-leverantören också sättas till <quote>ad</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"ldap_id_mapping = False\n" +" " msgstr "" -"Detta alternativ är False i de flesta IPA-installationer eftersom IPA-" -"servern genererar PTR-posterna automatiskt när framåtposterna ändras." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "Standard: False (avaktiverat)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "dyndns_force_tcp (bool)" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -"Huruvida nsupdate-verktyget som standard skall använda TCP för kommunikation " -"med DNS-servern." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "Standard: False (låt nsupdate välja protokollet)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" -msgstr "dyndns_server (sträng)" +"Som standard kommer AD-leverantören översätta UID- och GID-värden från " +"parametern objectSID i Active Directory. För detaljer om detta se avsnittet " +"<quote>ID-ÖVERSÄTTNING</quote> nedan. Om du vill avaktivera ID-översättning " +"och istället lita på POSIX-attribut definierade i Active Directory skall du " +"sätta <placeholder type=\"programlisting\" id=\"0\"/>. Om POSIX-attribut " +"skall användas rekommenderas det av restandaskäl att attributen även " +"replikeras till den globala katalogen. Om POSIX-attribut replikeras kommer " +"SSSD försöka att hitta domänen för den begärda numeriska ID:n med hjälp av " +"den globala katalogen och endast söka i den domänen. Om POSIX-attribut " +"däremot inte replikeras till den globala katalogen måste SSSD söka i alla " +"domänerna i skogen sekventiellt. Observera att alternativet " +"<quote>cache_first</quote> också kan vara till hjälp för att snabba upp " +"domänlösa sökningar. Observera att om endast en delmängd av POSIX-" +"attributen finns i den globala katalogen läses för närvarande inte de " +"attribut som inte replikeras från LDAP-porten." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -"DNS-servern som skall användas när en uppdatering av DNS utförs. I de " -"flesta uppsättningar rekommenderas det att låta detta alternativ vara osatt." +"Användare, grupper och andra enheter som servas av SSSD behandlas alltid som " +"skiftlägesokänsliga i AD-leverantören för kompatibilitet med Active " +"Directorys LDAP-implementation." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:126 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -"Att sätta detta alternativ är meningsfullt i miljöer där DNS-servern är " -"skild från identitetsservern." +"Anger namnet på Active Directory-domänen. Detta är frivilligt. Om det inte " +"anges används namnet på den konfigurerade domänen." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:131 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -"Observera att detta alternativ bara kommer användas i försök att falla " -"tillbaka på när tidigare försök som använder automatiskt upptäckta " -"inställningar misslyckas." +"För att fungera ordentligt skall detta alternativ anges som den gemena " +"versionen av den långa versionen av Active Directorys domän." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" -msgstr "Standard: Ingen (låt nsupdate välja servern)" +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" +"Det korta domännamnet (även känt som NetBIOS--namet eller det flata namnet) " +"detekteras automatiskt av SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" -msgstr "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "ad_enabled_domains (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:146 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -"DNS-uppdateringar utförs som standard i två steg – IPv4-uppdatering och " -"sedan IPv6-uppdatering. I några fall kan det vara önskvärt att utföra " -"IPv4- och IPv6-uppdateringar i ett enda steg." +"En kommaseparerad lista av aktiverade Active Directory-domäner. Om det " +"tillhandahålls kommer SSSD ignorera eventuella domäner som inte räknas upp i " +"detta alternativ. Om det lämnas osatt kommer alla domäner från AD-skogen " +"vara tillgängliga." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" -msgstr "ipa_deskprofile_search_base (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" +"ad_enabled_domains = marknad.exempel.se, tekn.exempel.se\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:152 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Frivillig. Använd den givna strängen som sökbas för " -"skrivbordsprofilrelaterade objekt." +"För att fungera ordentligt bör detta alternativ anges helt i gemener och som " +"det fullständigt kvalificerade namnet på Active Directorys domänen. Till " +"exempel: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Standard: använd bas-DN" +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" +"Det korta domännamnet (även känt som NetBIOS--namet eller det flata namnet) " +"kommer detekteras automatiskt av SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (sträng)" +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -"Frivillig. Använd den givna strängen som sökbas för HBAC-relaterade objekt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (sträng)" +"Den kommaseparerade listan av värdnamn till AD-servrar till vilka SSSD skall " +"ansluta i prioritetsordning. För mer information om reserver och " +"serverredundans se avsnittet <quote>RESERVER</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." -msgstr "Undanbedes. Använd ldap_host_search_base istället." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (sträng)" +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Detta är frivilligt om automatupptäckt är aktiverat. För mer information om " +"tjänsteupptäckt se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -"Frivillig. Använd den givna strängen som en sökbas för SELinux-" -"användaröversättningar." +"Observera: betrodda domäner kommer alltid automatiskt upptäcka servrar även " +"om den primära servern definieras uttryckligen i alternativet ad_server." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (sträng)" +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -"Frivillig. Använd den givna strängen som en sökbas för betrodda domäner." +"Valfri. Kan sättas på maskiner där hostname(5) inte avspeglar det " +"fullständigt kvalificerade namnet som används i Active Directory-domänen för " +"att identifiera denna värd." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" -msgstr "Standard: värdet på <emphasis>cn=trusts,%basedn</emphasis>" +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"Detta fält används för att avgöra värd-huvudmannen som används i keytab:en. " +"Det måste stämma med värdnamnet som keytab:en gavs ut för." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (sträng)" +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -"Frivillig. Använd den givna strängen som en sökbas för huvuddomänobjekt." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "Standard: värdet av <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +"Om sant och tjänsteupptäckt (se stycket Tjänsteupptäckt i slutet av " +"manualsidan) är aktiverat kommer SSSD först att försöka matt hitta en Active " +"Directory-server att ansluta till med Active Directory Site Discovery och " +"sedan falla tillbaka på traditionell SRV-upptäckt om ingen AD-sajt hittas. " +"Konfigurationen av DNS SRV, inklusive upptäcktsdomänen, används också under " +"sajtupptäckten." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" -msgstr "ipa_views_search_base (sträng)" +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." -msgstr "Frivillig. Använd den givna strängen som en sökbas för vybehållare." +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" +"Detta alternativ anger LDAP:s åtkomstkontrollfilter som anändaren måste " +"matcha för att tillåtas åtkomst. Observera att alternativet " +"<quote>access_provider</quote> måste vara uttryckligen satt till <quote>ad</" +"quote> för att detta alternativ skall ha någon effekt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" -msgstr "Standard: värdet av <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" +"Alternativet stödjer också att ange olika filter per domän eller skog. " +"Detta utökade filter skulle bestå av: <quote>NYCKELORD:NAMN:FILTER</quote>. " +"Nyckelordet kan vara antingen <quote>DOM</quote>, <quote>FOREST</quote> " +"eller utelämnas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:252 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -"Namnet på Kerberos-riket. Detta är frivilligt och som standard blir det " -"värdet av <quote>ipa_domain</quote>." +"Om nyckelordet är lika med <quote>DOM</quote> eller saknas anger " +"<quote>NAMN</quote> domänen eller underdomänen filtret gäller för. Om " +"nyckelordet är lika med <quote>FOREST</quote> är filtret lika för alla " +"domäner från skogen som anges av <quote>NAMN</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:260 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -"Namnet på Kerberos-riket har en speciell betydelse i IPA – det konverteras " -"till bas-DN:en för att användas när LDAP-operationer utförs." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" -msgstr "krb5_confd_path (sträng)" +"Flera filter kan avgränsas med tecknet <quote>?</quote>, i likhet med hur " +"sökbaser fungerar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:265 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -"Absolut sökväg till en katalog där SSSD skall placera konfigurtionsstycken " -"för Kerberos." +"Nästade gruppmedlemskap måste sökas efter med en speciell OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> utöver den fullständiga syntaxen " +"DOM:domän.exempel.se: för att säkerställa att tolken inte försöker tolka " +"kolontecknen som hör till OID:n. Om man inte använder denna OID kommer " +"nästade gruppmedlemskap inte slås upp. Se användningsexempel nedan och se " +"här för ytterligare information om OID:n: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] avsnittet LDAP-" +"utökningar</ulink>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#: sssd-ad.5.xml:278 msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -"För att förhindra att konfigurationsstycken skapas, sätt parametern till " -"”none”." +"Den mest specifika matchingen används alltid. Till exempel, om alternativet " +"angav filter för en domän användaren är medlem i och ett globalt filter " +"skulle det domänspecifika filtret tillämpas. Om det finns fler matchningar " +"med samma specifikation används den första." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -"Standard: inte satt (underkatalogen krb5.include.d till SSSD:s pubconf-" -"katalog)" +"# tillämpla endast filtret på än domän som heter dom1:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# tillämpa endast filtret på en domän som heter dom2:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# tillämpa endast filtret på en skog som heter EXEMPEL.SE:\n" +"FOREST:EXEMPEL.SE:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# tillämpa filtret på en medlem av en nästad grupp i dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" -msgstr "ipa_deskprofile_refresh (heltal)" +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:311 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -"Tiden mellan uppslagningar av skrivbordsprofilsregler mot IPA-servern. " -"Detta kommer reducera tidsfördröjningen och lasten på IPA-servern om det " -"görs många begäranden om skrivbordsprofiler under en kort tid." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "Standard: 5 (sekunder)" +"Ange en AD-sajt som klienten skall försöka ansluta till. Om detta " +"alternativ inte anges kommer AD-sajten att automatupptäckas." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" -msgstr "ipa_deskprofile_request_interval (heltal)" +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (boolean)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:325 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -"Tiden mellan uppslagningar av skrivbordsprofilsregler mot IPA-servern ifall " -"den senaste förfrågan inte returnerade någon regel" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "Standard: 60 (minuter)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (heltal)" +"Som standard ansluter SSSD till den globala katalogen först för att hämta " +"användare från betrodda domäner och använder LDAP-porten för att hämta " +"gruppmedlemskap som en reserv. Att avaktivera detta alternativ gör att SSSD " +"endast ansluter till lDAP-porten på den aktuella AD-servern." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:333 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -"Tiden mellan uppslagningar av HBAC-regler mot IPA-servern. Detta kommer " -"reducera tidsfördröjningen och lasten på IPA-servern om det görs många " -"begäranden om åtkomstkontroll under en kort tid." +"Observera att att avaktivera stöd för den globala katalogen inte avaktiverar " +"att hämta användare från betrodda domäner. SSSD skulle ansluta till LDAP-" +"porten på den betrodda domänen istället. Dock måste den globala katalogen " +"användas för att slå upp gruppmedlemskap över domäner." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (heltal)" +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:350 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -"Tiden mellan uppslagningar av SELinux-översättningar mot IPA-servern. Detta " -"kommer reducera tidsfördröjningen och lasten på IPA-servern om det görs " -"många begäranden om användarinloggningar under en kort tid." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" -msgstr "ipa_server_mode (boolean)" +"Detta alternativ anger arbetsläget för GPO-baserad " +"åtkomstkontrollsfunktionalitet: huruvida det arbetar i avaktiverat läge, " +"tvingande läge eller tillåtande läge. Observera att alternativet " +"<quote>access_provider</quote> måste vara uttryckligen satt till <quote>ad</" +"quote> för att detta alternativ skall ha någon effekt." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:359 +#, fuzzy +#| msgid "" +#| "GPO-based access control functionality uses GPO policy settings to " +#| "determine whether or not a particular user is allowed to logon to a " +#| "particular host." msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -"Detta alternativ sätts automatiskt av IPA-installeraren (ipa-server-install) " -"och markerar om SSSD kör på en IPA-server eller inte." +"GPO-baserad åtkomstkontrollsfunktionalitet använder GPO-policyinställningar " +"för att avgöra huruvida en viss användare tillåts att logga på en viss värd." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:367 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -"På en IPA-server kommer SSSD slå upp användare och grupper från betrodda " -"domäner direkt medan på en klient kommer den att fråga en IPA-server." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#: sssd-ad.5.xml:376 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -"OBS: det finns för närvarande några antagenden som måste uppfyllas när SSSD " -"kör på en IPA-server." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#: sssd-ad.5.xml:386 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -"Alternativet <quote>ipa_server</quote> måste konfigureras till att peka på " -"själva IPA-servern. Detta är redan standardvärdet som sätts av IPA-" -"installeraren, så det behövs inga manuella ändringar." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#: sssd-ad.5.xml:393 msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -"Alternativet <quote>full_name_format</quote> får inte ändras till att bara " -"skriva korta namn på användare från betrodda domäner." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" -msgstr "Automonteringsplatsen denna IPA-klient kommer använda" +#: sssd-ad.5.xml:401 +msgid "" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." +msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" -msgstr "Standard: platsen som heter ”default”" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" -msgstr "VYER OCH ÅSIDOSÄTTANDEN" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" -msgstr "ipa_view_class (sträng)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." -msgstr "Objektklass för vybehållaren." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" -msgstr "Standard: nsContainer" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" -msgstr "ipa_view_name (sträng)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." -msgstr "Namn på attributet som har namnet på vyn." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" -msgstr "ipa_override_object_class (sträng)" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." -msgstr "Objektklass för åsidosättande objekt." +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" +"OBS: Den nuvarande versionen av SSSD stödjer inte värd- (dator-)poster i GPO:" +"s ”säkerhetsfilter”-lista. Endast användar- och gruppposter stödjs. " +"Värdposter i listan har ingen effekt." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" -msgstr "Standard: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 +#, fuzzy +#| msgid "" +#| "NOTE: If the operation mode is set to enforcing, it is possible that " +#| "users that were previously allowed logon access will now be denied logon " +#| "access (as dictated by the GPO policy settings). In order to facilitate a " +#| "smooth transition for administrators, a permissive mode is available that " +#| "will not enforce the access control rules, but will evaluate them and " +#| "will output a syslog message if access would have been denied. By " +#| "examining the logs, administrators can then make the necessary changes " +#| "before setting the mode to enforcing." +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." +msgstr "" +"OBS: Om arbetsläget är satt till tvingande är det möjligt att användare som " +"tidigare tilläts inloggningsåtkomst nu kommer att nekas inloggningsåtkomst " +"(som det dikteras av GPO-policyinställningarna). För att möjliggöra en " +"smidig övergång för administratörer är ett tillåtande läge tillgängligt som " +"inte kommer tvinga reglerna för åtkomstkontroll, men kommer beräkna dem och " +"skriva ut ett syslog-meddelande om åtkomst skulle ha nekats. Genom att " +"granska loggarna kan administratörer sedan göra de nödvändiga ändringarna " +"före de ställer in arbetsläget till tvingande." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" -msgstr "ipa_anchor_uuid (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" +msgstr "Det finns tre stödda värden för detta alternativ:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -"Namn på attributet som innehåller referensen till originalobjektet i en " -"fjärrdomän." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" -msgstr "Standard: ipaAnchorUUID" +"disabled: GPO-baserade åtkomstkontrollsregler varken evalueras eller " +"påtvingas." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" -msgstr "ipa_user_override_object_class (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "enforcing: GPO-baserade åtkomstkontrollregler evalueras och påtvingas." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -"Namn på objektklassen för användaråsidosättanden. Det används för att " -"avgöra om det funna åsidosättande objektet är relaterat till en användare " -"eller en grupp." +"permissive: GPO-baserade åtkomstkontrollregler evalueras men påtvingas " +"inte. Istället skickas ett syslog-meddelande ut om indikerar att användaren " +"skulle ha nekats åtkomst om detta alternativs värde vore satt till enforcing." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" -msgstr "Användaråsidosättanden kan innehålla attribut givna av" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" +msgstr "Standard: permissive" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" -msgstr "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" +msgstr "Standard: enforcing" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" -msgstr "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "ad_gpo_implicit_deny (boolean)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" -msgstr "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 +msgid "" +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." +msgstr "" +"Normalt när inga tillämpliga GPO:er finns tillåts användarna åtkomst. När " +"detta alternativ är satt till True kommer användare att tillåtas åtkomst " +"endast när det uttryckligen tillåts av en GPO-regel. Annars kommer " +"användare nekas åtkomst. Detta kan användas för att stärka säkerheten men " +"var försiktig när detta alternativ används för det kan neka åtkomst även " +"till användare i den inbyggda administratörsgruppen om inga GPO-regler är " +"tillämpliga på dem." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" -msgstr "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" +msgstr "ad_gpo_ignore_unreadable (boolean)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" -msgstr "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:495 +msgid "" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." +msgstr "" +"Normalt när några gruppolicybehållare (AD-objekt) av några tillämpliga " +"gruppolicyobjekt inte är läsbara av SSSD så nekas användare åtkomst. Detta " +"alternativ tillåter att man ignorerar gruppolicybehållare och med dem " +"tillhörande policyer om deras attribut i gruppolicybehållare inte är läsbara " +"för SSSD." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" -msgstr "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (heltal)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" -msgstr "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:515 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" +"Tiden mellan uppslagningar av GPO-policyfiler AD-servern. Detta kommer " +"reducera tidsfördröjningen och lasten på AD-servern om det görs många " +"begäranden om åtkomstkontroll under en kort tid." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" -msgstr "Standard: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" -msgstr "ipa_group_override_object_class (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:531 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:549 msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -"Namn på objektklassen för gruppåsidosättanden. Det används för att avgöra " -"om det funna åsidosättandeobjektet är relaterat till en användare eller en " -"grupp." +"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " +"”Tillåt inloggning lokalt” och ”Neka inloggning lokalt”." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" -msgstr "Gruppåsidosättanden kan innehålla attribut givna av" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" +"ad_gpo_map_interactive = +min_pam_tjänst, -login\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" -msgstr "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:554 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " +"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " +"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " +"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " +"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>login</" +"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" +"quote>) skulle man använda följande konfiguration: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" -msgstr "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" +msgstr "gdm-fingerprint" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" -msgstr "Standard: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" +msgstr "lightdm" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 -msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" -msgstr "" -"SSSD kan hantera vyer och åsidosättanden som erbjuds av FreeIPA 4.1 och " -"senare versioner. Eftersom alla sökvägar och objektklasser är fasta på " -"serversidan finns det egentligen inget behov av att konfigurera något. För " -"fullständighets skull är de tillhörande alternativen listade här med sina " -"standardvärden. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" +msgstr "lxdm" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "UNDERDOMÄNLEVERANTÖR" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" +msgstr "sddm" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 -msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." -msgstr "" -"IPA-underomänleverantören beter sig något annorlunda om den konfigureras " -"explicit eller implicit." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" +msgstr "unity" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" +msgstr "xdm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -"Om alternativet ”subdomains_provider = ipa” finns i domänavsnittet i sssd." -"conf konfigureras IPA-underdomänsleverantören explicit, och alla begäranden " -"tav underdomäner skickas till IPA-servern om nödvändigt." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:657 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -"Om alternativet ”subdomains_provider” inte är satt i domänavsnittet av sssd." -"conf men alternativet ”id_provider = ipa” finns konfigureras IPA-" -"underdomänsleverantören implicit. I det fallet, om en underdomänsbegäran " -"misslyckas och indikerar att servern inte stödjer underdomäner, d.v.s. den " -"är inte konfigurerad för förtroenden, avaktiveras IPA-" -"underdomänsleverantören. Efter en timma eller efter att IPA-leverantören " -"blir uppkopplad aktiveras underdomänsleverantören igen." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" -msgstr "KONFIGURATION AV BETRODDA DOMÄNER" +"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " +"”Tillåt inloggning via fjärrskrivbordstjänster” och ”Neka inloggning via " +"fjärrinloggningstjänter”." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 #, no-wrap msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"ad_gpo_map_remote_interactive = +min_pam_tjänst, -sshd\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:663 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Några konfigurationsalternativ kan även sättas för en betrodd domän. En " -"konfiguration av en betrodd domän kan antingen göras med ett underavsnitt, " -"till exempel: <placeholder type=\"programlisting\" id=\"0\"/>" +"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " +"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " +"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " +"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " +"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>sshd</" +"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" +"quote>) skulle man använda följande konfiguration: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "sshd" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" +msgstr "cockpit" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:697 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"Dessutom kan några alternativ sättas i föräldradomänen och ärvas av den " -"betrodda domänen med alternativet <quote>subdomain_inherit</quote>. För " -"fler detaljer, se manualsidan <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:715 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -"Olika konfigurationsalternativ kan ställas in för en betrodd domän beroende " -"på huruvida man konfigurerar SSSD på en IPA-server eller en IPA-klient." - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" -msgstr "ALTERNATIV ATT STÄLLA IN PÅ IPA-MASTRAR" +"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " +"”Kom åt denna dator från nätverket” och ”Neka åtkomst till denna dator från " +"nätverket”." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" -"Följande alternativ kan sättas i ett underdomänsavsnitt på en IPA-master:" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" -msgstr "ad_server" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" -msgstr "ad_backup_server" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" -msgstr "ad_site" +"ad_gpo_map_network = +min_pam_tjänst, -ftp\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" -msgstr "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " +"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " +"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " +"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " +"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>ftp</" +"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" +"quote>) skulle man använda följande konfiguration: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" -msgstr "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "ftp" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" -msgstr "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" +msgstr "samba" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" -msgstr "ALTERNATIV ATT STÄLLA IN PÅ IPA-KLIENTER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:755 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" -"Följande alternativ kan sättas i ett underdomänsavsnitt på en IPA-klient:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:773 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -"Observera att om bådda alternativen sätts evalueras endast <quote>ad_server</" -"quote>." +"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " +"”Tillåt inloggning som ett batch-jobb” och ”Neka inloggning som ett batch-" +"jobb”." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" -"Eftersom alla begäranden om en användar- eller en gruppidentitet från en " -"betrodd domän startad från en IPA-klient löses upp av IPA-servern, påverkar " -"alternativen <quote>ad_server</quote> och <quote>ad_site</quote> bara vilken " -"AD DC autentiseringen kommer utföras emot. I synnerhet kommer adresserna " -"som löses upp från dessa listor att skrivas till <quote>kdcinfo</quote>-" -"filer som läses av Kerberos-lokaliseringinsticksmodulen. För fler detaljer " -"om Kerberos-lokaliseringsinsticksmodulen hänvisas till manualsidan " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>." +"ad_gpo_map_batch = +min_pam_tjänst, -crond\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:778 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se " -"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Dessa " -"exempel visar endast alternativ som är specifika för leverantören ipa." +"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " +"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " +"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " +"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " +"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>crond</" +"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" +"quote>) skulle man använda följande konfiguration: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:790 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -"[domain/exemple.se]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.exempel.se\n" -"ipa_hostname = minvärd.exempel.se\n" +"Obs: cron-tjänstenamn kan skilja beroende på vilken Linuxdistribution som " +"används." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" +msgstr "crond" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "SSSD Active Directory-leverantör" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:808 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"Denna manualsida besriver konfigurationen av leverantören AD till " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " -"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -"Leverantören AD är en bakände som används för att ansluta till en Active " -"Directory-server. Leverantören att maskinen läggs in i AD-domänen och en " -"keytab är tillgänlig. Bakändekommunikationen sker över en GSSAPI-krypterad " -"kanal, SSL/TLS-alternativ skall inte användas tillsammans med AD-" -"leverantören och kommer ersättas av Kerberos-användning." +"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " +"”Tillåt inloggning som en tjänst” och ”Neka inloggning som en tjänst”." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" -"AD-leverantören stödjer anslutning till Active Directory 2008 R2 eller " -"senare. Tidigare versioner kan fungera, men stödjs inte." +"ad_gpo_map_service = +min_pam_tjänst\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" -"AD-leverantören kan användas för att få användarinformation och autentisera " -"användare från betrodda domäner. För närvarande känns endast betrodda " -"domäner i samma skog igen. Dessutom automatupptäcks alltid servrar från " -"betrodda domäner." +"Det är möjligt att lägga till ett PAM-tjänstnamn till standarduppsättningen " +"genom att använda <quote>+tjänstenamn</quote>. Eftersom " +"standarduppsättningen är tom är det inte möjligt att ta bort ett PAM-" +"tjänstenamn från standarduppsättningen. Till exempel, för att lägga till " +"ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</quote>) skulle " +"man använda följande konfiguration: <placeholder type=\"programlisting\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:852 msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -"AD-leverantören gör att SSSD kan använda identitetsleverantören " -"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> och autentiseringsleverantören <citerefentry> " -"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> med optimeringar för Active Directory-miljöer. AD-" -"leverantören tar samma alternativ som aänvänds av leverantörerna sssd-ldap " -"och sssd-krb5 med några undantag. Dock är det varken nödvändigt eller " -"lämpligt att sätta dessa alternativ." +"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad åtkomst " +"alltid tillåts, oavsett några andra GPO-inloggningsrättigheter." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" -"AD-leverantören kopierar i huvudsak standardalternativen för de " -"traditionella leverantörerna ldap och krb5 med några undantag. Skillnaderna " -"listas i avsnittet <quote>ÄNDRADE STANDARDINSTÄLLNINGAR</quote>." +"ad_gpo_map_permit = +min_pam_tjänst, -sudo\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:857 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"AD-leverantören kan även användas som en åtkomst-, chpass-, sudo- och autofs-" -"leverantör. Ingen konfiguration av åtkomstleverantören behövs på " -"klientsidan." +"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " +"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " +"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " +"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " +"standard-PAM-tjänstenamn för ovillkorligt tillåten åtkomst (t.ex. " +"<quote>sudo</quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-" +"tjänst</quote>) skulle man använda följande konfiguration: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" +msgstr "polkit-1" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" +msgstr "systemd-user" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:901 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -"Om <quote>auth_provider=ad</quote> eller <quote>access_provider=ad</quote> " -"konfigureras i sssd.conf måste id-leverantören också sättas till <quote>ad</" -"quote>." +"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad åtkomst " +"alltid nekas, oavsett några andra GPO-inloggningsrättigheter." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 #, no-wrap msgid "" -"ldap_id_mapping = False\n" -" " +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" -"ldap_id_mapping = False\n" -" " +"ad_gpo_map_deny = +min_pam_tjänst\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:927 msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" -"Som standard kommer AD-leverantören översätta UID- och GID-värden från " -"parametern objectSID i Active Directory. För detaljer om detta se avsnittet " -"<quote>ID-ÖVERSÄTTNING</quote> nedan. Om du vill avaktivera ID-översättning " -"och istället lita på POSIX-attribut definierade i Active Directory skall du " -"sätta <placeholder type=\"programlisting\" id=\"0\"/>. Om POSIX-attribut " -"skall användas rekommenderas det av restandaskäl att attributen även " -"replikeras till den globala katalogen. Om POSIX-attribut replikeras kommer " -"SSSD försöka att hitta domänen för den begärda numeriska ID:n med hjälp av " -"den globala katalogen och endast söka i den domänen. Om POSIX-attribut " -"däremot inte replikeras till den globala katalogen måste SSSD söka i alla " -"domänerna i skogen sekventiellt. Observera att alternativet " -"<quote>cache_first</quote> också kan vara till hjälp för att snabba upp " -"domänlösa sökningar. Observera att om endast en delmängd av POSIX-" -"attributen finns i den globala katalogen läses för närvarande inte de " -"attribut som inte replikeras från LDAP-porten." +"Detta alternativ definierar hur åtkomstkontroll beräknas för PAM-tjänstenamn " +"som inte är uttryckligen listade i en av alternativen ad_gpo_map_*. Detta " +"alternativ kan anges på två olika sätt. Antingen kan detta alternativ " +"sättas till att ange standardinloggningsrättigheter. Till exempel, om detta " +"alternativ är satt till ”interactive” betyder det att att omappade PAM-" +"tjänstenamn kommer bearbetas baserat på policyinställningarna " +"InteractiveLogonRight och DenyInteractiveLogonRight. Alternativt kan detta " +"alternativ sättas till att antingen alltid tillåta eller lltid neka åtkomst " +"för omappade PAM-tjänstenamn." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" +msgstr "Värden som stödjs för detta alternativ inkluderar:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." -msgstr "" -"Användare, grupper och andra enheter som servas av SSSD behandlas alltid som " -"skiftlägesokänsliga i AD-leverantören för kompatibilitet med Active " -"Directorys LDAP-implementation." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" +msgstr "interactive" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (sträng)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" +msgstr "remote_interactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" +msgstr "network" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" +msgstr "batch" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" +msgstr "service" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" +msgstr "permit" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" +msgstr "deny" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." -msgstr "" -"Anger namnet på Active Directory-domänen. Detta är frivilligt. Om det inte " -"anges används namnet på den konfigurerade domänen." +#: sssd-ad.5.xml:980 +msgid "Default: deny" +msgstr "Standard: deny" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "ad_maximum_machine_account_password_age (heltal)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#: sssd-ad.5.xml:989 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" -"För att fungera ordentligt skall detta alternativ anges som den gemena " -"versionen av den långa versionen av Active Directorys domän." +"SSSD kommer en gång om dagen kontrollera om maskinkontolösenordet är äldre " +"än den givna ålder i dagar och försöka förnya det. Ett värde på 0 kommer " +"förhindra förnyelseförsöket." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." -msgstr "" -"Det korta domännamnet (även känt som NetBIOS--namet eller det flata namnet) " -"detekteras automatiskt av SSSD." +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" +msgstr "Standard: 30 dagar" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" -msgstr "ad_enabled_domains (sträng)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "ad_machine_account_password_renewal_opts (sträng)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#: sssd-ad.5.xml:1004 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" -"En kommaseparerad lista av aktiverade Active Directory-domäner. Om det " -"tillhandahålls kommer SSSD ignorera eventuella domäner som inte räknas upp i " -"detta alternativ. Om det lämnas osatt kommer alla domäner från AD-skogen " -"vara tillgängliga." +"Detta alternativ skall endast användas för att testa " +"maskinkontoförnyelsefunktionen. Alternativet förväntar sig 2 heltal " +"separerade av ett kolon (”:”). Det första heltalet anger intervallet i " +"sekunder hur ofta funktionen körs. Det andra anger den initiala tidsgränsen " +"i sekunder före funktionen körs för första gången efter uppstart." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "Standard: 86400:750 (24h och 15m)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" -"ad_enabled_domains = marknad.exempel.se, tekn.exempel.se\n" -" " +"Valfritt. Detta alternativ säger till SSSD att automatiskt uppdatera DNS-" +"servern i Active Directory med IP-adressen för denna klient. Uppdateringen " +"säkras med GSS-TSIG. Som en konsekvens av det behöver Active Directory-" +"administratören bara tillåta säkra uppdateringar för DNS-zonen. IP-adressen " +"för AD-LDAP-förbindelsen används för uppdateringar, om det inte specificeras " +"på annat sätt med alternativet <quote>dyndns_iface</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" +msgstr "Standard: 3600 (sekunder)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -"För att fungera ordentligt bör detta alternativ anges helt i gemener och som " -"det fullständigt kvalificerade namnet på Active Directorys domänen. Till " -"exempel: <placeholder type=\"programlisting\" id=\"0\"/>" +"Standard: använd IP-adresser för gränssnittet som används för AD LDAP-" +"förbindelsen" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#: sssd-ad.5.xml:1081 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -"Det korta domännamnet (även känt som NetBIOS--namet eller det flata namnet) " -"kommer detekteras automatiskt av SSSD." +"Hur ofta bakänden skall utföra periodiska DNS-uppdateringar utöver den " +"automatiska uppdateringen som utförs när bakänden kopplar upp. Detta " +"alternativ är valfritt och tillämpligt endast när dyndns_update är sann. " +"Observera att det lägsta möjliga värdet är 60 sekunder, ifall ett värde " +"mindre än 60 ges kommer parametern endast anta det lägsta värdet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (sträng)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Standard: True" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -"Den kommaseparerade listan av värdnamn till AD-servrar till vilka SSSD skall " -"ansluta i prioritetsordning. För mer information om reserver och " -"serverredundans se avsnittet <quote>RESERVER</quote>." +"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se " +"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Detta " +"exempel visar endast alternativ som är specifika för leverantören AD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -"Detta är frivilligt om automatupptäckt är aktiverat. För mer information om " -"tjänsteupptäckt se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." +"[domain/EXEMPEL]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.exempel.se\n" +"ad_hostname = client.exempel.se\n" +"ad_domain = exempel.se\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -"Observera: betrodda domäner kommer alltid automatiskt upptäcka servrar även " -"om den primära servern definieras uttryckligen i alternativet ad_server." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (sträng)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Leverantören AD av åtkomstkontroll kontrollerar om kontot har gått ut. Det " +"har samma effekt som följande konfiguration av LDAP-leverantören: " +"<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -"Valfri. Kan sättas på maskiner där hostname(5) inte avspeglar det " -"fullständigt kvalificerade namnet som används i Active Directory-domänen för " -"att identifiera denna värd." +"Dock, om inte åtkomstleverantören <quote>ad</quote> är konfigurerad explicit " +"är standardåtkomstleverantören <quote>permit</quote>. Observera att om man " +"konfigurerar en annan åtkomstleverantör än <quote>ad</quote> behöver man " +"sätta alla anslutningsparametrarna (såsoms LDAP URI:er och " +"krypteringsdetaljer) manuellt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -"Detta fält används för att avgöra värd-huvudmannen som används i keytab:en. " -"Det måste stämma med värdnamnet som keytab:en gavs ut för." +"När autofs-leverantören är satt till <quote>ad</quote> används " +"översättningen av schemaattribut enligt RFC2307 (nisMap, nisObject, …), för " +"att dessa attribut inkluderas i standardschemat för Active Directory." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Konfigurera sudo med SSSD-bakänden" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -"Om sant och tjänsteupptäckt (se stycket Tjänsteupptäckt i slutet av " -"manualsidan) är aktiverat kommer SSSD först att försöka matt hitta en Active " -"Directory-server att ansluta till med Active Directory Site Discovery och " -"sedan falla tillbaka på traditionell SRV-upptäckt om ingen AD-sajt hittas. " -"Konfigurationen av DNS SRV, inklusive upptäcktsdomänen, används också under " -"sajtupptäckten." +"Denna manualsida beskriver hur man konfigurerar <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"till att fungera med <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> och hur SSSD cachar sudo-regler." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" -msgstr "ad_access_filter (sträng)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Konfigurera sudo att samarbeta med SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -"Detta alternativ anger LDAP:s åtkomstkontrollfilter som anändaren måste " -"matcha för att tillåtas åtkomst. Observera att alternativet " -"<quote>access_provider</quote> måste vara uttryckligen satt till <quote>ad</" -"quote> för att detta alternativ skall ha någon effekt." +"För att aktivera SSSD som en källa för sudo-regler, lägg till <emphasis>sss</" +"emphasis> till posten <emphasis>sudoers</emphasis> i <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -"Alternativet stödjer också att ange olika filter per domän eller skog. " -"Detta utökade filter skulle bestå av: <quote>NYCKELORD:NAMN:FILTER</quote>. " -"Nyckelordet kan vara antingen <quote>DOM</quote>, <quote>FOREST</quote> " -"eller utelämnas." +"Till exempel, för att konfigurera sudo till att först slå upp regler i " +"standardfilen <citerefentry> <refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> (som bör innehålla regler som " +"gäller för lokala användare) och sedan i SSSD, skall filen nsswitch.conf " +"innehålla följande rad:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -"Om nyckelordet är lika med <quote>DOM</quote> eller saknas anger " -"<quote>NAMN</quote> domänen eller underdomänen filtret gäller för. Om " -"nyckelordet är lika med <quote>FOREST</quote> är filtret lika för alla " -"domäner från skogen som anges av <quote>NAMN</quote>." +"Mer information om att konfigurera sökordningen för sudoers från filen " +"nsswitch.conf liksom information om LDAP-schemat som används för att spara " +"sudo-regler i katalogen finns i <citerefentry> <refentrytitle>sudoers.ldap</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -"Flera filter kan avgränsas med tecknet <quote>?</quote>, i likhet med hur " -"sökbaser fungerar." +"<emphasis>Observera</emphasis>: för att använda nätgrupper eller IPA-" +"värdgrupper i sudo-regler behöver man även sätta <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> korrekt till sitt NIS-domännamn (som är samma som IPA-" +"domännamnet här värdgrupper används)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Konfigurera SSSD till att hämta sudo-regler" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -"Nästade gruppmedlemskap måste sökas efter med en speciell OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> utöver den fullständiga syntaxen " -"DOM:domän.exempel.se: för att säkerställa att tolken inte försöker tolka " -"kolontecknen som hör till OID:n. Om man inte använder denna OID kommer " -"nästade gruppmedlemskap inte slås upp. Se användningsexempel nedan och se " -"här för ytterligare information om OID:n: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] avsnittet LDAP-" -"utökningar</ulink>" +"All konfiguration som behövs på SSSD-sidan är att utöka listan över " +"<emphasis>tjänster</emphasis> med ”sudo” i avsnittet [sssd] i <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. För att snabba upp LDAP-uppslagningarna kan man även sätta " +"sökbasen för sudo-regler med alternativet <emphasis>ldap_sudo_search_base</" +"emphasis>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -"Den mest specifika matchingen används alltid. Till exempel, om alternativet " -"angav filter för en domän användaren är medlem i och ett globalt filter " -"skulle det domänspecifika filtret tillämpas. Om det finns fler matchningar " -"med samma specifikation används den första." +"Följande exempel visar hur man konfigurerar SSSD att hämta sudo-regler från " +"en LDAP-server." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 #, no-wrap msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" "\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" -"# tillämpla endast filtret på än domän som heter dom1:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# tillämpa endast filtret på en domän som heter dom2:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# tillämpa endast filtret på en skog som heter EXEMPEL.SE:\n" -"FOREST:EXEMPEL.SE:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXEMPEL\n" "\n" -"# tillämpa filtret på en medlem av en nästad grupp i dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"[domain/EXEMPEL]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://exempel.se\n" +"ldap_sudo_search_base = ou=sudoers,dc=exempel,dc=se\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" -msgstr "ad_site (sträng)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> Det är viktigt att observera att på plattformar där " +"systemd stödjs finns det inget behov av att lägga till ”sudo”-leverantören " +"till listan av tjänster, eftersom det blev frivilligt. Dock måste sssd-sudo." +"socket vara aktiverat istället. </phrase>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -"Ange en AD-sajt som klienten skall försöka ansluta till. Om detta " -"alternativ inte anges kommer AD-sajten att automatupptäckas." +"När SSSD är konfigurerat till att använda IPA som ID-leverantör aktiveras " +"sudo-leverantören automatiskt. Sudo-sökbasen konfigureras till att använda " +"IPA:s egna LDAP-träd (cn=sudo,$SUFFIX). Om någon annan sökbas är definierad " +"i sssd.conf kommer detta värde användas istället. Kompatibilitetsträdet " +"(ou=sudoers,$SUFFIX) behövs inte längre för IPA-sudo-funktionalitet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" -msgstr "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Cachnings-mekanismen för SUDO-regler" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" -"Som standard ansluter SSSD till den globala katalogen först för att hämta " -"användare från betrodda domäner och använder LDAP-porten för att hämta " -"gruppmedlemskap som en reserv. Att avaktivera detta alternativ gör att SSSD " -"endast ansluter till lDAP-porten på den aktuella AD-servern." +"Den största utmaningen vid utvecklingen av stöd för sudo i SSSD var att " +"säkerställa att köra sudo med SSSD som datakälla ger samma " +"användarupplevelse och är lika snabbt som sudo men tillhandahåller de " +"senaste reglerna så mycket som möjligt. För att uppfylla dessa krav " +"använder SSSD tre sorters uppdateringar. De refereras till som fullständig " +"uppdatering, smart uppdatering och regeluppdatering." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" -"Observera att att avaktivera stöd för den globala katalogen inte avaktiverar " -"att hämta användare från betrodda domäner. SSSD skulle ansluta till LDAP-" -"porten på den betrodda domänen istället. Dock måste den globala katalogen " -"användas för att slå upp gruppmedlemskap över domäner." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "ad_gpo_access_control (sträng)" +"Den <emphasis>smarta uppdateringen</emphasis> hämtar periodiskt regler som " +"är nya eller ändrades efter den senaste uppdateringen. Dess primära mål är " +"att se till att databasen växer genom att bara hämta små inkrementella steg " +"som inte genererar stora mängder med nätverkstrafik." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" -"Detta alternativ anger arbetsläget för GPO-baserad " -"åtkomstkontrollsfunktionalitet: huruvida det arbetar i avaktiverat läge, " -"tvingande läge eller tillåtande läge. Observera att alternativet " -"<quote>access_provider</quote> måste vara uttryckligen satt till <quote>ad</" -"quote> för att detta alternativ skall ha någon effekt." +"Den <emphasis>fullständiga uppdateringen</emphasis> raderar helt enkelt alla " +"sudo-regler som är lagrade i cachen och ersätter dem med alla regler som är " +"sparade på servern. Detta används för att hålla cachen konsistent genom att " +"ta bort varje regel som var raderad från servern. Dock kan en fullständig " +"uppdatering skapa mycket trafik och den bör alltså bara köras ibland " +"beroende på storleken och stabiliteten hos sudo-reglerna." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" -"GPO-baserad åtkomstkontrollsfunktionalitet använder GPO-policyinställningar " -"för att avgöra huruvida en viss användare tillåts att logga på en viss värd." +"<emphasis>Regeluppdateringen</emphasis> säkerställer att vi inte ger " +"användaren fler rättigheter än definierat. Den triggas varje gång " +"användaren kör sudo. Regeluppdateringen kommer hitta alla regler som är " +"tillämpliga på den användaren, kontrollera deras utgångstidpunkt och hämta " +"om dem om de gått ut. Ifall att någon av dessa regler saknas på servern " +"kommer SSSD göra en fullständig uppdatering vid sidan av för att fler regler " +"(som är tillämpliga på andra användare) kan ha raderats." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -"OBS: Den nuvarande versionen av SSSD stödjer inte värd- (dator-)poster i GPO:" -"s ”säkerhetsfilter”-lista. Endast användar- och gruppposter stödjs. " -"Värdposter i listan har ingen effekt." +"Om aktiverat kommer SSSD endast lagra regler som kan tillämpas på denna " +"maskin. Detta betyder att regler som innehåller ett av följande värden i " +"attributet <emphasis>sudoHost</emphasis>:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "nyckelordet ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "jokertecken (wildcard)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "nätgrupp (i formen ”+nätgrupp”)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "värdnamn eller fullständigt kvalificerat domännamn på denna maskin" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "en av IP-adresserna till denna maskin" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "en av IP-adresserna till nätverket (på formen ”adress/mask”)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"OBS: Om arbetsläget är satt till tvingande är det möjligt att användare som " -"tidigare tilläts inloggningsåtkomst nu kommer att nekas inloggningsåtkomst " -"(som det dikteras av GPO-policyinställningarna). För att möjliggöra en " -"smidig övergång för administratörer är ett tillåtande läge tillgängligt som " -"inte kommer tvinga reglerna för åtkomstkontroll, men kommer beräkna dem och " -"skriva ut ett syslog-meddelande om åtkomst skulle ha nekats. Genom att " -"granska loggarna kan administratörer sedan göra de nödvändiga ändringarna " -"före de ställer in arbetsläget till tvingande." +"Det finns många konfigurationsalternativ som kan användas för att justera " +"beteendet. Se ”ldap_sudo_*” i <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> och ”sudo_*” i " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "Det finns tre stödda värden för detta alternativ:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "Demonen för systemsäkerhetstjänster" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -"disabled: GPO-baserade åtkomstkontrollsregler varken evalueras eller " -"påtvingas." +"<command>sssd</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." -msgstr "enforcing: GPO-baserade åtkomstkontrollregler evalueras och påtvingas." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"<command>SSSD</command> tillhandahåller en uppsättning demoner för att " +"hantera åtkomst till fjärrkataloger och autentiseringmekanismer. Det " +"tillhandahåller ett NSS- och PAM-gränssnitt mot systemet och ett system med " +"insticksmoduler till bakänden för att ansluta till flera olika kontokällor, " +"såväl som ett D-Bus-gränssnit. Det är också basen för att tillhandahålla " +"klientgranskning och policytjänster för projekt som FreeIPA. Det " +"tillhandahåller en mer robust databas att spara lokala användare såväl som " +"utökade användardata." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -"permissive: GPO-baserade åtkomstkontrollregler evalueras men påtvingas " -"inte. Istället skickas ett syslog-meddelande ut om indikerar att användaren " -"skulle ha nekats åtkomst om detta alternativs värde vore satt till enforcing." +"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVÅ</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" -msgstr "Standard: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>läge</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" -msgstr "Standard: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis>: Lägg till en tidsstämpel till felsökningsmeddelandena" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" -msgstr "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" +"<emphasis>0</emphasis>: Avaktivera tidsstämpeln i felsökningsmeddelanden" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>läge</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -"Normalt när inga tillämpliga GPO:er finns tillåts användarna åtkomst. När " -"detta alternativ är satt till True kommer användare att tillåtas åtkomst " -"endast när det uttryckligen tillåts av en GPO-regel. Annars kommer " -"användare nekas åtkomst. Detta kan användas för att stärka säkerheten men " -"var försiktig när detta alternativ används för det kan neka åtkomst även " -"till användare i den inbyggda administratörsgruppen om inga GPO-regler är " -"tillämpliga på dem." +"<emphasis>1</emphasis>: Lägg till mikrosekunder till tidsstämpeln i " +"felsökningsmeddelanden" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" -msgstr "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "<emphasis>0</emphasis>: Avaktivera mikrosekunder i tidsstämpeln" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -"Normalt när några gruppolicybehållare (AD-objekt) av några tillämpliga " -"gruppolicyobjekt inte är läsbara av SSSD så nekas användare åtkomst. Detta " -"alternativ tillåter att man ignorerar gruppolicybehållare och med dem " -"tillhörande policyer om deras attribut i gruppolicybehållare inte är läsbara " -"för SSSD." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" -msgstr "ad_gpo_cache_timeout (heltal)" +"Skicka felutskrifter till filer istället för standard fel. Som standard " +"sparas loggfilerna i <filename>/var/log/sssd</filename> och det finns " +"separata loggfiler för varje SSSD-tjänst och domän." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -"Tiden mellan uppslagningar av GPO-policyfiler AD-servern. Detta kommer " -"reducera tidsfördröjningen och lasten på AD-servern om det görs många " -"begäranden om åtkomstkontroll under en kort tid." +"Denna flagga undanbedes. Den är ersatt av <option>--logger=files</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" -msgstr "ad_gpo_map_interactive (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "<option>--logger=</option><replaceable>värde</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " -"åtkomstkontroll beräknas baserat på policyinställningarna " -"InteractiveLogonRight och DenyInteractiveLogonRight." +"Plats dit SSSD skall skicka loggmeddelanden. Denna flagga åsidosätter " +"värdet på den undanbedda flaggan <option>--debug-to-files</option>. Den " +"undanbedda flaggan kommer fortfarande fungera om <option>--logger</option> " +"inte används." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " -"”Tillåt inloggning lokalt” och ”Neka inloggning lokalt”." +"<emphasis>stderr</emphasis>: Omdirigera felmeddelanden till standard fel-" +"utmatning." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -"ad_gpo_map_interactive = +min_pam_tjänst, -login\n" -" " +"<emphasis>files</emphasis>: Omdirigera felsökningsmeddelanden till " +"loggfilerna. Som standard lagras loggfilerna i <filename>/var/log/sssd</" +"filename> och det finns separata loggfiler för varje SSSD-tjänstoch domän." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " -"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " -"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " -"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " -"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>login</" -"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" -"quote>) skulle man använda följande konfiguration: <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"<emphasis>journald</emphasis>: Omdirigera felsökningsmeddelanden till " +"systemd-journald" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" -msgstr "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" -msgstr "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Bli en demon efter att ha startat upp." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" -msgstr "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" -msgstr "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Kör i förgrunden, bli inte en demon." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" -msgstr "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" -msgstr "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Ange en annan konfigurationsfil än standard. Standard är <filename>/etc/" +"sssd/sssd.conf</filename>. För referens till konfigurationfilsyntaxen och -" +"alternativ, konsultera manualsidan <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" -msgstr "ad_gpo_map_remote_interactive (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" +msgstr "<option>-g</option>,<option>--genconf</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +msgstr "" +"Starta inte SSSD, men uppdatera konfigurationsdatabasen från innehållet i " +"<filename>/etc/sssd/sssd.conf</filename> och avsluta sedan." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" +msgstr "<option>-s</option>,<option>--genconf-section</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " -"åtkomstkontroll beräknas baserat på policyinställningarna " -"RemoteInteractiveLogonRight och DenyRemoteInteractiveLogonRight." +"Liknande <quote>--genconf</quote>, men uppdatera endast ett enskilt avsnitt " +"av konfigurationsfilen. Detta alternativt är huvudsakligen användbart för " +"att anropas från systemd:s unit-filer för att låta uttagsaktiverade " +"respondenter att uppdatera sina konfigurationer utan att kräva att " +"administratören startar om hela SSSD." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "Skriv ut versionsnumret och avsluta." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Signaler" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " -"”Tillåt inloggning via fjärrskrivbordstjänster” och ”Neka inloggning via " -"fjärrinloggningstjänter”." +"Säger till SSSD att snyggt avsluta alla dess barnprocesser och sedan stänga " +"av monitorn." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " -msgstr "" -"ad_gpo_map_remote_interactive = +min_pam_tjänst, -sshd\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " -"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " -"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " -"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " -"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>sshd</" -"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" -"quote>) skulle man använda följande konfiguration: <placeholder type=" -"\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" -msgstr "sshd" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" -msgstr "cockpit" +"Säger till SSSD att sluta skriva till dess aktuella felsökningsfilbeskrivare " +"och stänga och öppna om dem. Detta är tänkt att möjliggöra loggrullning med " +"program som logrotate." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" -msgstr "ad_gpo_map_network (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " -"åtkomstkontroll beräknas baserat på policyinställningarna NetworkLogonRight " -"och DenyNetworkLogonRight." +"Säger till SSSD att simulera frånkopplad funktion under tiden hos parametern " +"<quote>offline_timeout</quote>. Detta är användbart för att testa. " +"Signalen kan skickas antingen till sssd-processen eller direkt till någon " +"sssd_be-process." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." -msgstr "" -"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " -"”Kom åt denna dator från nätverket” och ”Neka åtkomst till denna dator från " -"nätverket”." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -"ad_gpo_map_network = +min_pam_tjänst, -ftp\n" -" " +"Säger till SSSD att gå till uppkopplat läge omedelbart. Detta är användbart " +"för att testa. Signalen kan skickas antingen till sssd-processen eller " +"direkt till någon sssd_be-process." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +#| "applications will not use the fast in memory cache." msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " -"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " -"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " -"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " -"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>ftp</" -"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" -"quote>) skulle man använda följande konfiguration: <placeholder type=" -"\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" -msgstr "ftp" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "samba" +"Om miljövariabeln SSS_NSS_USE_MEMCACHE är satt till ”NO” kommer " +"klientprogram inte använda den snabba cachen i minnet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" -msgstr "ad_gpo_map_batch (sträng)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." -msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " -"åtkomstkontroll beräknas baserat på policyinställningarna BatchLogonRight " -"och DenyBatchLogonRight." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "fördunkla ett klartextlösenord" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" -"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " -"”Tillåt inloggning som ett batch-jobb” och ”Neka inloggning som ett batch-" -"jobb”." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>[LÖSENORD]</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" -"ad_gpo_map_batch = +min_pam_tjänst, -crond\n" -" " +"<command>sss_obfuscate</command> konverterar ett givet lösenord till ett " +"format oläsbart för människor och placerar det i det passande domänavsnittet " +"av SSSD-konfigurationsfilen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" -"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " -"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " -"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " -"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " -"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>crond</" -"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</" -"quote>) skulle man använda följande konfiguration: <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Klartextlösenordet läses från standard in eller skrivs interaktivt. Det " +"fördunklade lösenordet läggs in i parametern <quote>ldap_default_authtok</" +"quote> av en given SSSD-domän och parametern " +"<quote>ldap_default_authtok_type</quote> sätts till " +"<quote>obfuscated_password</quote>. Se <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> för fler " +"detaljer om dessa parametrar." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -"Obs: cron-tjänstenamn kan skilja beroende på vilken Linuxdistribution som " -"används." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" -msgstr "crond" +"Observera att fördunklandet av lösenord ger <emphasis>ingen riktigt " +"säkerhetsförbättring</emphasis> eftersom det fortfarande är möjligt för en " +"anfallare att återskapa lösenrodet. Det rekommenderas <emphasis>starkt</" +"emphasis> att använda en bättre autentiseringsmekanism såsom " +"klientsidecertifikat eller GSSAPI." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" -msgstr "ad_gpo_map_service (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." -msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " -"åtkomstkontroll beräknas baserat på policyinställningarna ServiceLogonRight " -"och DenyServiceLogonRight." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "Lösenordet att fördunkla kommer läsas från standard in." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde " -"”Tillåt inloggning som en tjänst” och ”Neka inloggning som en tjänst”." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMÄN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -"ad_gpo_map_service = +min_pam_tjänst\n" -" " +"SSSD-domäner att använda lösenordet i. Standardnamnet är <quote>default</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -"Det är möjligt att lägga till ett PAM-tjänstnamn till standarduppsättningen " -"genom att använda <quote>+tjänstenamn</quote>. Eftersom " -"standarduppsättningen är tom är det inte möjligt att ta bort ett PAM-" -"tjänstenamn från standarduppsättningen. Till exempel, för att lägga till " -"ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</quote>) skulle " -"man använda följande konfiguration: <placeholder type=\"programlisting\" id=" -"\"0\"/>" +"<option>-f</option>,<option>--file</option> <replaceable>FIL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" -msgstr "ad_gpo_map_permit (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "Läs konfigurationsfilen som anges av positionsparametern." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Standard: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "sss_override" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "skapa lokala åsidosättanden av användar- och gruppattribut" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad åtkomst " -"alltid tillåts, oavsett några andra GPO-inloggningsrättigheter." +"<command>sss_override</command> <arg choice='plain'><replaceable>KOMMANDO</" +"replaceable></arg> <arg choice='opt'> <replaceable>flaggor</replaceable> </" +"arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -"ad_gpo_map_permit = +min_pam_tjänst, -sudo\n" -" " +"<command>sss_override</command> gör det möjligt att skapa en klientsidevy " +"och tillåter att man ändrar valda värden på specifika användare och " +"grupper. Denna ändring gäller endast på den lokala maskinen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -"Det är möjligt att lägga till ett annat PAM-tjänstnamn till " -"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att " -"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom " -"att använda <quote>-tjänstenamn</quote>. Till exempel, för att byta ut ett " -"standard-PAM-tjänstenamn för ovillkorligt tillåten åtkomst (t.ex. " -"<quote>sudo</quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-" -"tjänst</quote>) skulle man använda följande konfiguration: <placeholder type=" -"\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" -msgstr "polkit-1" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" -msgstr "systemd-user" +"Data om åsidosättanden lagras i SSSD-cachen. Om cachen raderas förloras " +"alla lokala osådosättanden. Observera att efter det första åsidosättandet " +"har skapats med något av följande kommandon <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> eller " +"<emphasis>group-import</emphasis> behöver SSSD startas om för att det skall " +"få effekt. <emphasis>sss_override</emphasis> skriver ett meddelande när en " +"omstart behövs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" -msgstr "ad_gpo_map_deny (sträng)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "TILLGÄNGLIGA KOMMANDON" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad åtkomst " -"alltid nekas, oavsett några andra GPO-inloggningsrättigheter." +"Argumentet <emphasis>NAMN</emphasis> är namnet på originalobjektet i alla " +"kommandon. Det är inte möjligt att åsidosätta <emphasis>uid</emphasis> " +"eller <emphasis>gid</emphasis> till 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -"ad_gpo_map_deny = +min_pam_tjänst\n" -" " - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" -msgstr "ad_gpo_default_right (sträng)" +"<option>user-add</option> <emphasis>NAMN</emphasis> <optional><option>-n,--" +"name</option> NAMN</optional> <optional><option>-u,--uid</option> AID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HEM</optional> <optional><option>-s,--" +"shell</option> SKAL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64-KODAT " +"CERTIFIKAT</optional>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -"Detta alternativ definierar hur åtkomstkontroll beräknas för PAM-tjänstenamn " -"som inte är uttryckligen listade i en av alternativen ad_gpo_map_*. Detta " -"alternativ kan anges på två olika sätt. Antingen kan detta alternativ " -"sättas till att ange standardinloggningsrättigheter. Till exempel, om detta " -"alternativ är satt till ”interactive” betyder det att att omappade PAM-" -"tjänstenamn kommer bearbetas baserat på policyinställningarna " -"InteractiveLogonRight och DenyInteractiveLogonRight. Alternativt kan detta " -"alternativ sättas till att antingen alltid tillåta eller lltid neka åtkomst " -"för omappade PAM-tjänstenamn." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "Värden som stödjs för detta alternativ inkluderar:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "interactive" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "remote_interactive" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" -msgstr "network" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "batch" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" -msgstr "service" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" -msgstr "permit" +"Åsidosätt attribut på en användare. Var medveten om att anropa detta " +"kommando kommer ersätta eventuella tidigare åsidosättanden för (den " +"NAMNgivna) användaren." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" -msgstr "deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "<option>user-del</option> <emphasis>NAMN</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" -msgstr "Standard: deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" +"Ta bort användaråsidosättanden. Var dock medveten om att åsidosatta " +"attribut kan returneras från minnescachen. Se SSSD-alternativet " +"<emphasis>memcache_timeout</emphasis> för fler detaljer." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" -msgstr "ad_maximum_machine_account_password_age (heltal)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMÄN</" +"optional>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -"SSSD kommer en gång om dagen kontrollera om maskinkontolösenordet är äldre " -"än den givna ålder i dagar och försöka förnya det. Ett värde på 0 kommer " -"förhindra förnyelseförsöket." +"Lista alla användare med satta åsidosättanden. Om parametern " +"<emphasis>DOMÄN</emphasis> är satt listas endast användare från den domänen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" -msgstr "Standard: 30 dagar" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "<option>user-show</option> <emphasis>NAMN</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" -msgstr "ad_machine_account_password_renewal_opts (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "Visa användaråsidosättanden." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "<option>user-import</option> <emphasis>FIL</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -"Detta alternativ skall endast användas för att testa " -"maskinkontoförnyelsefunktionen. Alternativet förväntar sig 2 heltal " -"separerade av ett kolon (”:”). Det första heltalet anger intervallet i " -"sekunder hur ofta funktionen körs. Det andra anger den initiala tidsgränsen " -"i sekunder före funktionen körs för första gången efter uppstart." +"Importera användaråsidosättanden från <emphasis>FIL</emphasis>. " +"Dataformatet liknar den vanliga passwd-filen. Formatet är:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" -msgstr "Standard: 86400:750 (24h och 15m)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "urpsprungligt_namn:namn:uid:gid:gecos:hem:skal:bas64-kodat_certifikat" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -"Valfritt. Detta alternativ säger till SSSD att automatiskt uppdatera DNS-" -"servern i Active Directory med IP-adressen för denna klient. Uppdateringen " -"säkras med GSS-TSIG. Som en konsekvens av det behöver Active Directory-" -"administratören bara tillåta säkra uppdateringar för DNS-zonen. IP-adressen " -"för AD-LDAP-förbindelsen används för uppdateringar, om det inte specificeras " -"på annat sätt med alternativet <quote>dyndns_iface</quote>." +"där ursprungligt_namn är användarens originalnamn vars attribut skall " +"åsidosättas. Resten av fälten motsvarar nya värden. Man kan utelämna ett " +"värde helt enkelt genom att lämna motsvarande fält tomt." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" -msgstr "Standard: 3600 (sekunder)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "kwalker:fantomen::::::" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "kwalker@bangalla.com::501:501:Fantomen:/home/bangalla:/bin/bash:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "<option>user-export</option> <emphasis>FIL</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -"Standard: använd IP-adresser för gränssnittet som används för AD LDAP-" -"förbindelsen" +"Exportera alla åsidosatta attribut och spara dem i <emphasis>FIL</" +"emphasis>. Se <emphasis>user-import</emphasis> för dataformatet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -"Hur ofta bakänden skall utföra periodiska DNS-uppdateringar utöver den " -"automatiska uppdateringen som utförs när bakänden kopplar upp. Detta " -"alternativ är valfritt och tillämpligt endast när dyndns_update är sann. " -"Observera att det lägsta möjliga värdet är 60 sekunder, ifall ett värde " -"mindre än 60 ges kommer parametern endast anta det lägsta värdet." +"<option>group-add</option> <emphasis>NAMN</emphasis> <optional><option>-n,--" +"name</option> NAMN</optional> <optional><option>-g,--gid</option> GID</" +"optional>" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Standard: True" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" +"Åsidosätt attribut på en grupp. Var medveten om att anropa detta kommando " +"kommer ersätta eventuella tidigare åsidosättanden för (den NAMNgivna) " +"gruppen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "<option>group-del</option> <emphasis>NAMN</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se " -"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Detta " -"exempel visar endast alternativ som är specifika för leverantören AD." +"Ta bort gruppåsidosättanden. Var dock medveten om att åsidosatta attribut " +"kan returneras från minnescachen. Se SSSD-alternativet " +"<emphasis>memcache_timeout</emphasis> för fler detaljer." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -"[domain/EXEMPEL]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.exempel.se\n" -"ad_hostname = client.exempel.se\n" -"ad_domain = exempel.se\n" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMÄN</" +"optional>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Lista alla grupper med satta åsidosättanden. Om parametern <emphasis>DOMÄN</" +"emphasis> är satt listas endast grupper från den domänen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "<option>group-show</option> <emphasis>NAMN</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "Visa gruppåsidosättanden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "<option>grupp-import</option> <emphasis>FIL</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -"Leverantören AD av åtkomstkontroll kontrollerar om kontot har gått ut. Det " -"har samma effekt som följande konfiguration av LDAP-leverantören: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Importera gruppåsidosättanden från <emphasis>FIL</emphasis>. Dataformatet " +"liknar den vanliga group-filen. Formatet är:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "urpsprungligt_namn:namn:gid:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" +"där ursprungligt_namn är gruppens originalnamn vars attribut skall " +"åsidosättas. Resten av fälten motsvarar nya värden. Man kan utelämna ett " +"värde helt enkelt genom att lämna motsvarande fält tomt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "admin:administratorer:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "Domain Users:Users:501" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "<option>group-export</option> <emphasis>FIL</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -"Dock, om inte åtkomstleverantören <quote>ad</quote> är konfigurerad explicit " -"är standardåtkomstleverantören <quote>permit</quote>. Observera att om man " -"konfigurerar en annan åtkomstleverantör än <quote>ad</quote> behöver man " -"sätta alla anslutningsparametrarna (såsoms LDAP URI:er och " -"krypteringsdetaljer) manuellt." +"Exportera alla åsidosatta attribut och spara dem i <emphasis>FIL</" +"emphasis>. Se <emphasis>group-import</emphasis> för dataformatet." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "GEMENSAMMA FLAGGOR" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 -msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." -msgstr "" -"När autofs-leverantören är satt till <quote>ad</quote> används " -"översättningen av schemaattribut enligt RFC2307 (nisMap, nisObject, …), för " -"att dessa attribut inkluderas i standardschemat för Active Directory." +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "Dessa flaggor är tillgängliga med alla kommandon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "<option>--debug-level</option> <replaceable>NIVÅ</replaceable>" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" -msgstr "Konfigurera sudo med SSSD-bakänden" +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "skapa en ny användare" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"Denna manualsida beskriver hur man konfigurerar <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"till att fungera med <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> och hur SSSD cachar sudo-regler." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "Konfigurera sudo att samarbeta med SSSD" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</" +"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#: sss_useradd.8.xml:32 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -"För att aktivera SSSD som en källa för sudo-regler, lägg till <emphasis>sss</" -"emphasis> till posten <emphasis>sudoers</emphasis> i <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_useradd</command> skapar ett nytt användarkonto med värdena som " +"agnes på kommandoraden plus standardvärden från systemet" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -"Till exempel, för att konfigurera sudo till att först slå upp regler i " -"standardfilen <citerefentry> <refentrytitle>sudoers</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> (som bör innehålla regler som " -"gäller för lokala användare) och sedan i SSSD, skall filen nsswitch.conf " -"innehålla följande rad:" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Sätt UID:n för användaren till värdet av <replaceable>UID</replaceable>. Om " +"det inte anges väljs det automatiskt." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -"Mer information om att konfigurera sökordningen för sudoers från filen " -"nsswitch.conf liksom information om LDAP-schemat som används för att spara " -"sudo-regler i katalogen finns i <citerefentry> <refentrytitle>sudoers.ldap</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"<option>-c</option>,<option>--gecos</option> <replaceable>KOMMENTAR</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -"<emphasis>Observera</emphasis>: för att använda nätgrupper eller IPA-" -"värdgrupper i sudo-regler behöver man även sätta <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> korrekt till sitt NIS-domännamn (som är samma som IPA-" -"domännamnet här värdgrupper används)." +"Godtycklig textsträng som beskriver användaren. Ofta använt som ett fält " +"för användarens fullständiga namn." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "Konfigurera SSSD till att hämta sudo-regler" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HEMKATALOG</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -"All konfiguration som behövs på SSSD-sidan är att utöka listan över " -"<emphasis>tjänster</emphasis> med ”sudo” i avsnittet [sssd] i <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>. För att snabba upp LDAP-uppslagningarna kan man även sätta " -"sökbasen för sudo-regler med alternativet <emphasis>ldap_sudo_search_base</" -"emphasis>." +"Hemkatalogen för användarkontot. Standardvärde är att lägga till namnet " +"<replaceable>INLOGGNINGSNAMN</replaceable> till <filename>/home</filename> " +"och använda det som hemkatalog. Basen som läggs till före " +"<replaceable>INLOGGNINGSNAMN</replaceable> kan ställas in med inställningen " +"<quote>user_defaults/baseDirectory</quote> i sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -"Följande exempel visar hur man konfigurerar SSSD att hämta sudo-regler från " -"en LDAP-server." +"<option>-s</option>,<option>--shell</option> <replaceable>SKAL</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXEMPEL\n" -"\n" -"[domain/EXEMPEL]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://exempel.se\n" -"ldap_sudo_search_base = ou=sudoers,dc=exempel,dc=se\n" +"Användarens inloggningsskal. Standard är för närvarande <filename>/bin/" +"bash</filename>. Standardvärdet kan ändras med inställningen " +"<quote>user_defaults/defaultShell</quote> i sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> Det är viktigt att observera att på plattformar där " -"systemd stödjs finns det inget behov av att lägga till ”sudo”-leverantören " -"till listan av tjänster, eftersom det blev frivilligt. Dock måste sssd-sudo." -"socket vara aktiverat istället. </phrase>" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPPER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "En lista av befintliga grupper denna användare också är en medlem i." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -"När SSSD är konfigurerat till att använda IPA som ID-leverantör aktiveras " -"sudo-leverantören automatiskt. Sudo-sökbasen konfigureras till att använda " -"IPA:s egna LDAP-träd (cn=sudo,$SUFFIX). Om någon annan sökbas är definierad " -"i sssd.conf kommer detta värde användas istället. Kompatibilitetsträdet " -"(ou=sudoers,$SUFFIX) behövs inte längre för IPA-sudo-funktionalitet." +"Skapa användarens hemkatalog om den inte redan finns. Filerna och " +"katalogerna som finns i skelettkatalogen (som kan definieras med flaggan -k " +"eller i konfigurationsfilen) kommer kopieras till hemkatalogen." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "Cachnings-mekanismen för SUDO-regler" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -"Den största utmaningen vid utvecklingen av stöd för sudo i SSSD var att " -"säkerställa att köra sudo med SSSD som datakälla ger samma " -"användarupplevelse och är lika snabbt som sudo men tillhandahåller de " -"senaste reglerna så mycket som möjligt. För att uppfylla dessa krav " -"använder SSSD tre sorters uppdateringar. De refereras till som fullständig " -"uppdatering, smart uppdatering och regeluppdatering." +"Skapa inte användarens hemkatalog. Åsidosätter konfigurationsinställningar." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -"Den <emphasis>smarta uppdateringen</emphasis> hämtar periodiskt regler som " -"är nya eller ändrades efter den senaste uppdateringen. Dess primära mål är " -"att se till att databasen växer genom att bara hämta små inkrementella steg " -"som inte genererar stora mängder med nätverkstrafik." +"<option>-k</option>,<option>--skel</option> <replaceable>SKELKAT</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -"Den <emphasis>fullständiga uppdateringen</emphasis> raderar helt enkelt alla " -"sudo-regler som är lagrade i cachen och ersätter dem med alla regler som är " -"sparade på servern. Detta används för att hålla cachen konsistent genom att " -"ta bort varje regel som var raderad från servern. Dock kan en fullständig " -"uppdatering skapa mycket trafik och den bör alltså bara köras ibland " -"beroende på storleken och stabiliteten hos sudo-reglerna." +"Skelettkatalogen, som innehåller filer och kataloger som skall kopieras till " +"användarens hemkatalog, när hemkatalogen skapas av\n" +"<command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -"<emphasis>Regeluppdateringen</emphasis> säkerställer att vi inte ger " -"användaren fler rättigheter än definierat. Den triggas varje gång " -"användaren kör sudo. Regeluppdateringen kommer hitta alla regler som är " -"tillämpliga på den användaren, kontrollera deras utgångstidpunkt och hämta " -"om dem om de gått ut. Ifall att någon av dessa regler saknas på servern " -"kommer SSSD göra en fullständig uppdatering vid sidan av för att fler regler " -"(som är tillämpliga på andra användare) kan ha raderats." +"Specialfiler (blockenheter, teckenenheter, namngivna rör och unix-uttag) " +"kommer inte kopieras." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -"Om aktiverat kommer SSSD endast lagra regler som kan tillämpas på denna " -"maskin. Detta betyder att regler som innehåller ett av följande värden i " -"attributet <emphasis>sudoHost</emphasis>:" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "nyckelordet ALL" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "jokertecken (wildcard)" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" -msgstr "nätgrupp (i formen ”+nätgrupp”)" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" -msgstr "värdnamn eller fullständigt kvalificerat domännamn på denna maskin" - -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" -msgstr "en av IP-adresserna till denna maskin" +"Denna flagga är endast giltig om flaggan <option>-m</option> (eller " +"<option>--create-home</option>) anges, eller att skapandet av hemkataloger " +"är satt till TRUE i konfigurationen." -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" -msgstr "en av IP-adresserna till nätverket (på formen ”adress/mask”)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> <replaceable>SELINUX-" +"ANVÄNDARE</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -"Det finns många konfigurationsalternativ som kan användas för att justera " -"beteendet. Se ”ldap_sudo_*” i <citerefentry> <refentrytitle>sssd-ldap</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> och ”sudo_*” i " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"SELinux-användaren för användarens inloggning. Om det inte anges används " +"systemstandarden." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "Demonen för systemsäkerhetstjänster" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 -msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" -msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>flaggor</" -"replaceable> </arg>" +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "SSSD:s Kerberos-leverantör" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sssd-krb5.5.xml:23 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"<command>SSSD</command> tillhandahåller en uppsättning demoner för att " -"hantera åtkomst till fjärrkataloger och autentiseringmekanismer. Det " -"tillhandahåller ett NSS- och PAM-gränssnitt mot systemet och ett system med " -"insticksmoduler till bakänden för att ansluta till flera olika kontokällor, " -"såväl som ett D-Bus-gränssnit. Det är också basen för att tillhandahålla " -"klientgranskning och policytjänster för projekt som FreeIPA. Det " -"tillhandahåller en mer robust databas att spara lokala användare såväl som " -"utökade användardata." +"Denna manualsida beskriver konfigurationen av bakänden för Kerberos 5-" +"autentisering för <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. För en detaljerad syntaxreferens, " +"se avsnittet <quote>FILFORMAT</quote> i manualsidan <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" -msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVÅ</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>läge</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -"<emphasis>1</emphasis>: Lägg till en tidsstämpel till felsökningsmeddelandena" +"Kerberos 5-autentiseringsbakänden innehåller auth- och chpass-leverantörer. " +"Den måste paras ihop med en identitetsleverantör för att fungera korrekt " +"(till exempel, id_provider = ldap). En del information krävs av Kerberos 5-" +"autentiseringsbakänden måste tillhandahållas av identitetsleverantören, " +"såsom användarens Kerberos huvudmannanamn (UPN). Konfigurationen av " +"identitetsleverantören skall ha en post för att ange UPN:en. Se manualsidan " +"för den tillämpliga identitetsleverantören för detaljer om hur man " +"konfigurerar detta." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -"<emphasis>0</emphasis>: Avaktivera tidsstämpeln i felsökningsmeddelanden" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>läge</replaceable>" +"Denna bakände tillhandahåller även åtkomstkontroll baserad på filen .k5login " +"i användarens hemkatalog Se <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> för mer detaljer. " +"Observera att en tom .k5login-fil kommer neka all åtkomst till denna " +"användare. För att aktivera denna funktion, använd ”access_provider = krb5” " +"i din SSSD-konfiguration." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" -"<emphasis>1</emphasis>: Lägg till mikrosekunder till tidsstämpeln i " -"felsökningsmeddelanden" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" -msgstr "<emphasis>0</emphasis>: Avaktivera mikrosekunder i tidsstämpeln" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" +"I situationer där UPN:en inte är tillgänglig i identitetsbakänden kommer " +"<command>sssd</command> konstruera en UPN genom att använda formatet " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"Skicka felutskrifter till filer istället för standard fel. Som standard " -"sparas loggfilerna i <filename>/var/log/sssd</filename> och det finns " -"separata loggfiler för varje SSSD-tjänst och domän." +"Anger en kommaseparerad lista av IP-adresser eller värdnamn till " +"Kerberosservrar till vilka SSSD skall ansluta, i prioritetsordning. För mer " +"information om reserver och serverredundans se avsnittet <quote>RESERVER</" +"quote>. Ett frivilligt portnummer (föregånget av ett kolon) kan läggas till " +"till adresserna eller värdnamnen. Om tomt aktiveras tjänsteupptäckt; för " +"mer information, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -"Denna flagga undanbedes. Den är ersatt av <option>--logger=files</option>." +"Namnet på Kerberos-riket. Detta alternativ är nödvändigt och måste anges." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "<option>--logger=</option><replaceable>värde</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -"Plats dit SSSD skall skicka loggmeddelanden. Denna flagga åsidosätter " -"värdet på den undanbedda flaggan <option>--debug-to-files</option>. Den " -"undanbedda flaggan kommer fortfarande fungera om <option>--logger</option> " -"inte används." +"Om tjänsten för att ändra lösenord inte kör på KDC:n kan alternativa servrar " +"definieras här. Ett frivilligt portnummer (föregått av ett kolon) kan " +"läggas till efter adresser eller värdnamn." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -"<emphasis>stderr</emphasis>: Omdirigera felmeddelanden till standard fel-" -"utmatning." +"För mer information om reserver och serverredundans se avsnittet " +"<quote>RESERVER</quote>. OBSERVERA: även om det inte finns några fler " +"kpasswd-servrar att försöka med byter inte bakänden till att köra " +"frånkopplat om autenticering mot KDC:n fortfarande är möjligt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 -msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." -msgstr "" -"<emphasis>files</emphasis>: Omdirigera felsökningsmeddelanden till " -"loggfilerna. Som standard lagras loggfilerna i <filename>/var/log/sssd</" -"filename> och det finns separata loggfiler för varje SSSD-tjänstoch domän." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Standard: använd KDC:n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -"<emphasis>journald</emphasis>: Omdirigera felsökningsmeddelanden till " -"systemd-journald" +"Katalog att lagra kreditiv-cachar i. Alla substitutionssekvenserna i " +"krb5_ccname_template kan användas här också, utom %d och %P. Katalogen " +"skapas som privat och ägd av användaren, med rättigheterna satta till 0700." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Standard: /tmp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "Bli en demon efter att ha startat upp." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "Kör i förgrunden, bli inte en demon." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "inloggningsnamn" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 -msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" -"Ange en annan konfigurationsfil än standard. Standard är <filename>/etc/" -"sssd/sssd.conf</filename>. För referens till konfigurationfilsyntaxen och -" -"alternativ, konsultera manualsidan <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "inloggnings-UID" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" -msgstr "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." -msgstr "" -"Starta inte SSSD, men uppdatera konfigurationsdatabasen från innehållet i " -"<filename>/etc/sssd/sssd.conf</filename> och avsluta sedan." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "huvudmannanamn" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" -msgstr "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "namn på rike" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 -msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." -msgstr "" -"Liknande <quote>--genconf</quote>, men uppdatera endast ett enskilt avsnitt " -"av konfigurationsfilen. Detta alternativt är huvudsakligen användbart för " -"att anropas från systemd:s unit-filer för att låta uttagsaktiverade " -"respondenter att uppdatera sina konfigurationer utan att kräva att " -"administratören startar om hela SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "hemkatalog" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "Skriv ut versionsnumret och avsluta." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "värdet på krb5_ccachedir" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Signaler" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "process-ID:t på SSSD-klienten" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." -msgstr "" -"Säger till SSSD att snyggt avsluta alla dess barnprocesser och sedan stänga " -"av monitorn." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "ett bokstavligt ”%”" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -"Säger till SSSD att sluta skriva till dess aktuella felsökningsfilbeskrivare " -"och stänga och öppna om dem. Detta är tänkt att möjliggöra loggrullning med " -"program som logrotate." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" +"Platsen för användarens kreditiv-cache. Tre typer av kreditiv-cacher stödjs " +"för närvarande: <quote>FIEL</quote>, <quote>DIR</quote> och <quote>KEYRING:" +"persistent</quote>. Cachen kan anges antingen som <replaceable>TYP:" +"ÅTERSTOD</replaceable>, eller som en absolut sökväg, vilket implicerar typen " +"<quote>FILE</quote>. I mallen ersätts följande sekvenser: <placeholder type=" +"\"variablelist\" id=\"0\"/> Om mallen slutar med ”XXXXXX” används mkstemp(3) " +"för att skapa ett unikt filnamn på ett säkert sätt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -"Säger till SSSD att simulera frånkopplad funktion under tiden hos parametern " -"<quote>offline_timeout</quote>. Detta är användbart för att testa. " -"Signalen kan skickas antingen till sssd-processen eller direkt till någon " -"sssd_be-process." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" +"När KEYRING-typer används är den enda mekanismen som stödjs <quote>KEYRING:" +"persistent:%U</quote>, vilket använder Linuxkärnans nyckelring för att lagra " +"kreditiv på per-UID-bas. Detta är också det rekommenderade valet, eftersom " +"det är den säkraste och mest förutsägbara metoden." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -"Säger till SSSD att gå till uppkopplat läge omedelbart. Detta är användbart " -"för att testa. Signalen kan skickas antingen till sssd-processen eller " -"direkt till någon sssd_be-process." +"Standardvärdet för namnet på kreditiv-cachen läses från profilen som fil " +"sparad i den systemtäckande konfigurationsfilen krb5.conf i avsnittet " +"[libdefaults]. Alternativnamnet är default_ccache_name. Se krb5.conf(5)s " +"avsnitt PARAMETEREXPANSION för mer information om expansionsformatet som " +"definieras av krb5.conf." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -"Om miljövariabeln SSS_NSS_USE_MEMCACHE är satt till ”NO” kommer " -"klientprogram inte använda den snabba cachen i minnet." +"OBSERVERA: var medveten om att ccache-expansionsmallen för libkrb5 från " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> använder andra expansionssekvenser än SSSD." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Standard: (från libkrb5)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "fördunkla ett klartextlösenord" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (heltal)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>flaggor</" -"replaceable> </arg> <arg choice='plain'><replaceable>[LÖSENORD]</" -"replaceable></arg>" +"Tidsgräns i sekunder efter vilken en uppkopplad begäran om autentisering " +"eller begäran om lösenordsändring avbryts. OM möjligt fortsätts begäran om " +"autentisering frånkopplat." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 -msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." -msgstr "" -"<command>sss_obfuscate</command> konverterar ett givet lösenord till ett " -"format oläsbart för människor och placerar det i det passande domänavsnittet " -"av SSSD-konfigurationsfilen." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (boolean)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -"Klartextlösenordet läses från standard in eller skrivs interaktivt. Det " -"fördunklade lösenordet läggs in i parametern <quote>ldap_default_authtok</" -"quote> av en given SSSD-domän och parametern " -"<quote>ldap_default_authtok_type</quote> sätts till " -"<quote>obfuscated_password</quote>. Se <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> för fler " -"detaljer om dessa parametrar." +"Verifiera med hjälp av krb5_keytab att den TGT om hämtats inte har " +"förfalskats. I keytab:en kontrolleras poster sekvensiellt, och den första " +"posten med ett matchande rike används för validering. Om ingen post machar " +"riket används den sista posten i keytab:en. Denna process kan användas för " +"att validera miljöer genom att använda förtroenden mellan riken genom att " +"placera den motsvarande keytab-posten som sista post eller den enda posten i " +"keytab-filen." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." -msgstr "" -"Observera att fördunklandet av lösenord ger <emphasis>ingen riktigt " -"säkerhetsförbättring</emphasis> eftersom det fortfarande är möjligt för en " -"anfallare att återskapa lösenrodet. Det rekommenderas <emphasis>starkt</" -"emphasis> att använda en bättre autentiseringsmekanism såsom " -"klientsidecertifikat eller GSSAPI." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" +"Platsen där keytab:en som skall användas för validering av kreditiv som tas " +"emot från KDC:er finns." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Standard: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." -msgstr "Lösenordet att fördunkla kommer läsas från standard in." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (boolean)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMÄN</" -"replaceable>" +"Spara lösenordet för användaren om leverantören är frånkopplad och använd " +"det för att begära en TGT när leverantören blir uppkopplad igen." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -"SSSD-domäner att använda lösenordet i. Standardnamnet är <quote>default</" -"quote>." +"OBS: denna funktion är endast tillgänglig på Linux. Lösenord som lagras på " +"detta sätt hålls i klartext i kärnans nyckelring och är potentiellt " +"åtkomliga för root-användaren (med svårighet)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>FIL</replaceable>" +"Begär en förnybar biljett med en total livslängd, given som ett heltal " +"omedelbart följd av en tidsenhet:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." -msgstr "Läs konfigurationsfilen som anges av positionsparametern." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> för sekunder" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "Standard: <filename>/etc/sssd/sssd.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> för minuter" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "sss_override" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> för timmar" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "skapa lokala åsidosättanden av användar- och gruppattribut" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> för dagar." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" -msgstr "" -"<command>sss_override</command> <arg choice='plain'><replaceable>KOMMANDO</" -"replaceable></arg> <arg choice='opt'> <replaceable>flaggor</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -"<command>sss_override</command> gör det möjligt att skapa en klientsidevy " -"och tillåter att man ändrar valda värden på specifika användare och " -"grupper. Denna ändring gäller endast på den lokala maskinen." +"OBSERVERA: det är inte möjligt att blanda enheter. För att sätta den " +"förnybara livslängden till en och en halv timma, använd ”90m” istället för " +"”1h30m”." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Standard: inte satt, d.v.s. TGT:en är inte förnybar" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -"Data om åsidosättanden lagras i SSSD-cachen. Om cachen raderas förloras " -"alla lokala osådosättanden. Observera att efter det första åsidosättandet " -"har skapats med något av följande kommandon <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> eller " -"<emphasis>group-import</emphasis> behöver SSSD startas om för att det skall " -"få effekt. <emphasis>sss_override</emphasis> skriver ett meddelande när en " -"omstart behövs." +"Begär en biljett med en livslängd, given som ett heltal omedelbart följd av " +"en tidsenhet:" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" -msgstr "TILLGÄNGLIGA KOMMANDON" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -"Argumentet <emphasis>NAMN</emphasis> är namnet på originalobjektet i alla " -"kommandon. Det är inte möjligt att åsidosätta <emphasis>uid</emphasis> " -"eller <emphasis>gid</emphasis> till 0." +"OBSERVERA: det är inte möjligt att blanda enheter. För att sätta " +"livslängden till en och en halv timma, använd ”90m” istället för ”1h30m”." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -"<option>user-add</option> <emphasis>NAMN</emphasis> <optional><option>-n,--" -"name</option> NAMN</optional> <optional><option>-u,--uid</option> AID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HEM</optional> <optional><option>-s,--" -"shell</option> SKAL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64-KODAT " -"CERTIFIKAT</optional>" +"Standard: inte satt, d.v.s. biljettens stanardlivsläng konfigurerad på KDC:n." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -"Åsidosätt attribut på en användare. Var medveten om att anropa detta " -"kommando kommer ersätta eventuella tidigare åsidosättanden för (den " -"NAMNgivna) användaren." +"Tiden i sekunder mellan två kontroller om TGT:en skall förnyas. TGT:er " +"förnyas om ungefär halva deras livstid har överskridits, givet som ett " +"heltal omedelbart följt av en tidsenhet:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" -msgstr "<option>user-del</option> <emphasis>NAMN</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" +"Om detta alternativ inte är satt eller är 0 är den automatiska förnyelsen " +"avaktiverad." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -"Ta bort användaråsidosättanden. Var dock medveten om att åsidosatta " -"attribut kan returneras från minnescachen. Se SSSD-alternativet " -"<emphasis>memcache_timeout</emphasis> för fler detaljer." +"Aktiverar flexibel autentisering via säker tunnling (flexible authentication " +"secure tunneling, FAST) för Kerberos förautentisering. Följande alternativ " +"stödjs:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" +"<emphasis>never</emphasis> använd aldrig FAST. Detta är ekvivalent med att " +"inte ställa in denna This is ekvivalent med att inte sätta detta alterinativ " +"alls." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMÄN</" -"optional>" +"<emphasis>try</emphasis> försök använda FAST. Om servern inte stödjer FAST, " +"fortsätt då autentiseringen utan den." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -"Lista alla användare med satta åsidosättanden. Om parametern " -"<emphasis>DOMÄN</emphasis> är satt listas endast användare från den domänen." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" -msgstr "<option>user-show</option> <emphasis>NAMN</emphasis>" +"<emphasis>demand</emphasis> kräv användning av FAST. Autentiseringen " +"misslyckas om servern inte begär fast." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." -msgstr "Visa användaråsidosättanden." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Standard: inte satt, d.v.s. FAST används inte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" -msgstr "<option>user-import</option> <emphasis>FIL</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "OBSERVERA: en keytab krävs för att använda FAST." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -"Importera användaråsidosättanden från <emphasis>FIL</emphasis>. " -"Dataformatet liknar den vanliga passwd-filen. Formatet är:" +"OBSERVERA: SSSD stödjer endast FAST med MIT Kerberos version 1.8 och " +"senare. Om SSSD används med en äldre version av MIT Kerberos är det ett " +"konfigurationsfel att använda detta alternativ." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" -msgstr "urpsprungligt_namn:namn:uid:gid:gecos:hem:skal:bas64-kodat_certifikat" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "Anger serverhuvudmannen att använda för FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -"där ursprungligt_namn är användarens originalnamn vars attribut skall " -"åsidosättas. Resten av fälten motsvarar nya värden. Man kan utelämna ett " -"värde helt enkelt genom att lämna motsvarande fält tomt." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" -msgstr "kwalker:fantomen::::::" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "kwalker@bangalla.com::501:501:Fantomen:/home/bangalla:/bin/bash:" +"Anger om värdens och användarens huvudman skall göras kononisk. Denna " +"funktion är tillgänglig med MIT Kerberos 1.7 och senare versioner." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" -msgstr "<option>user-export</option> <emphasis>FIL</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" +msgstr "krb5_kdcinfo_lookahead (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -"Exportera alla åsidosatta attribut och spara dem i <emphasis>FIL</" -"emphasis>. Se <emphasis>user-import</emphasis> för dataformatet." +"När krb5_use_kdcinfo är satt till true kan man begränsa mängden servrar som " +"skcikas till <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. Detta kan vara " +"användbart när det finns för många servrar som upptäcks med hjälp av SRV-" +"poster." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +#, fuzzy +#| msgid "" +#| "The krb5_kdcinfo_lookahead option contains two numbers seperated by a " +#| "colon. The first number represents number of primary servers used and the " +#| "second number specifies the number of backup servers." msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -"<option>group-add</option> <emphasis>NAMN</emphasis> <optional><option>-n,--" -"name</option> NAMN</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"Alternativet krb5_kdcinfo_lookahead innehåller två tal separerade av ett " +"kolon. Det första talet representerar antalet primärservrar som används och " +"det andra talet anger antalet reservservrar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +#| "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. but no backup " +#| "servers." msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -"Åsidosätt attribut på en grupp. Var medveten om att anropa detta kommando " -"kommer ersätta eventuella tidigare åsidosättanden för (den NAMNgivna) " -"gruppen." +"Till exempel betyder <emphasis>10:0</emphasis> att upp till 10 primärservrar " +"kommer lämnas till<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. men inga " +"reservservrar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" -msgstr "<option>group-del</option> <emphasis>NAMN</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" +msgstr "Standard: 3:1" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 -msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." -msgstr "" -"Ta bort gruppåsidosättanden. Var dock medveten om att åsidosatta attribut " -"kan returneras från minnescachen. Se SSSD-alternativet " -"<emphasis>memcache_timeout</emphasis> för fler detaljer." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (boolean)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMÄN</" -"optional>" +"Anger om användarens huvudman skall behandlas som företagshuvudman. Se " +"avsnitt 5 i RFC 6806 för mer detaljer om företagshuvudmän." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "Standard: false (AD-leverantör: true)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -"Lista alla grupper med satta åsidosättanden. Om parametern <emphasis>DOMÄN</" -"emphasis> är satt listas endast grupper från den domänen." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" -msgstr "<option>group-show</option> <emphasis>NAMN</emphasis>" +"IPA-leverantören kommer sätta detta alternativ till ”true” om den upptäcker " +"att servern klarar av att hantera företagshuvudmän och alternativet inte är " +"uttryckligen satt i konfigurationsfilen." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." -msgstr "Visa gruppåsidosättanden." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" -msgstr "<option>grupp-import</option> <emphasis>FIL</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" +"Listan av mappningar anges som en kommaseparerad lista av par " +"<quote>användarnamn:primär</quote> där <quote>användarnamn</quote> är ett " +"UNIX-användarnamn och <quote>primär</quote> är en användardel av en " +"kerberoshuvudman. Denna mappning används när användaren autentiserar med " +"<quote>auth_provider = krb5</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -"Importera gruppåsidosättanden från <emphasis>FIL</emphasis>. Dataformatet " -"liknar den vanliga group-filen. Formatet är:" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" -msgstr "urpsprungligt_namn:namn:gid:" +"krb5_realm = RIKE\n" +"krb5_map_user = maria:manvnd,hasse:hans\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -"där ursprungligt_namn är gruppens originalnamn vars attribut skall " -"åsidosättas. Resten av fälten motsvarar nya värden. Man kan utelämna ett " -"värde helt enkelt genom att lämna motsvarande fält tomt." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" -msgstr "admin:administratorer:" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" -msgstr "Domain Users:Users:501" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" -msgstr "<option>group-export</option> <emphasis>FIL</emphasis>" +"<quote>maria</quote> och <quote>hasse</quote> är UNIX-användarnamn och " +"<quote>manvnd</quote> och <quote>hans</quote> är primärer i " +"kerberoshuvudmän. För användaren <quote>maria</quote> resp. <quote>hasse</" +"quote> kommer SSSD försöka att göra kinit som <quote>manvndr@RIKE</quote> " +"resp. <quote>hans@RIKE</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Exportera alla åsidosatta attribut och spara dem i <emphasis>FIL</" -"emphasis>. Se <emphasis>group-import</emphasis> för dataformatet." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" -msgstr "GEMENSAMMA FLAGGOR" +"Om autentiseringsodulen krb5 används in en SSD-domän måste följande " +"alternativ användas. Se manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, avsnittet " +"<quote>DOMÄNSEKTIONER</quote> för detaljer om konfigurationen av en SSSD-" +"domän. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "Dessa flaggor är tillgängliga med alla kommandon." +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" +"Följande exempel antar att SSSD är korrekt konfigurerard och att APA är en " +"av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Detta exempel " +"visar endast konfigurationen av Kerberosautentisering; det inkluderar inte " +"någon identitetsleverantör." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" -msgstr "<option>--debug-level</option> <replaceable>NIVÅ</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" +"[domain/APA]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXEMPEL.SE\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "skapa en ny användare" +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "skapa en ny grupp" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_groupadd.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" "arg>" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>flaggor</" -"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</" -"replaceable></arg>" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_groupadd.8.xml:32 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -"<command>sss_useradd</command> skapar ett nytt användarkonto med värdena som " -"agnes på kommandoraden plus standardvärden från systemet" +"<command>sss_groupadd</command> skapar en ny grupp. Dessa grupper är " +"kompatibla med POSIX-grupper, med den ytterligare funktionen att de kan " +"innehålla andra grupper som medlemmar." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sss_groupadd.8.xml:48 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " "not given, it is chosen automatically." msgstr "" -"Sätt UID:n för användaren till värdet av <replaceable>UID</replaceable>. Om " +"Sätt GID:n för gruppen till värdet av <replaceable>GID</replaceable>. Om " "det inte anges väljs det automatiskt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "ta bort ett användarkonto" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>KOMMENTAR</" -"replaceable>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -"Godtycklig textsträng som beskriver användaren. Ofta använt som ett fält " -"för användarens fullständiga namn." +"<command>sss_userdel</command> tar bort en användare identifierad av " +"inloggningsnamnet <replaceable>INLOGGNINGSNAMN</replaceable> från systemet." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" -msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>HEMKATALOG</" -"replaceable>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_userdel.8.xml:48 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"Hemkatalogen för användarkontot. Standardvärde är att lägga till namnet " -"<replaceable>INLOGGNINGSNAMN</replaceable> till <filename>/home</filename> " -"och använda det som hemkatalog. Basen som läggs till före " -"<replaceable>INLOGGNINGSNAMN</replaceable> kan ställas in med inställningen " -"<quote>user_defaults/baseDirectory</quote> i sssd.conf." +"Filer i användarens hemkatalog kommer tas bort tillsammans med själva " +"hemkatalogen och användarens brevlåda. Åsidosätter konfigurationen." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" -msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>SKAL</replaceable>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#: sss_userdel.8.xml:60 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"Användarens inloggningsskal. Standard är för närvarande <filename>/bin/" -"bash</filename>. Standardvärdet kan ändras med inställningen " -"<quote>user_defaults/defaultShell</quote> i sssd.conf." +"Filer i användarens hemkatalog kommer INTE tas bort tillsammans med själva " +"hemkatalogen och användarens brevlåda. Åsidosätter konfigurationen." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" -msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>GRUPPER</" -"replaceable>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "En lista av befintliga grupper denna användare också är en medlem i." +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"Denna flagga tvingar <command>sss_userdel</command> att ta bort användarens " +"hemkatalog och brevlåda, även om de inte ägs av den angivna användaren." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." -msgstr "" -"Skapa användarens hemkatalog om den inte redan finns. Filerna och " -"katalogerna som finns i skelettkatalogen (som kan definieras med flaggan -k " -"eller i konfigurationsfilen) kommer kopieras till hemkatalogen." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "Före användaren faktiskt tas bort, döda alla hans processer." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "ta bort en grupp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"Skapa inte användarens hemkatalog. Åsidosätter konfigurationsinställningar." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELKAT</" -"replaceable>" +"<command>sss_groupdel</command> tar bort en grupp identifierad av sitt namn " +"<replaceable>GRUPP</replaceable> från systemet." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." -msgstr "" -"Skelettkatalogen, som innehåller filer och kataloger som skall kopieras till " -"användarens hemkatalog, när hemkatalogen skapas av\n" -"<command>sss_useradd</command>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "skriv ut egenskaperna hos en grupp" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"Specialfiler (blockenheter, teckenenheter, namngivna rör och unix-uttag) " -"kommer inte kopieras." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -"Denna flagga är endast giltig om flaggan <option>-m</option> (eller " -"<option>--create-home</option>) anges, eller att skapandet av hemkataloger " -"är satt till TRUE i konfigurationen." +"<command>sss_groupsho</command> visar information om en grupp identifierad " +"av sitt namn <replaceable>GRUPP</replaceable>. Informationen inkluderar " +"grupp-ID-numret, medlemmar i gruppen och föräldragruppen." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" -msgstr "" -"<option>-Z</option>,<option>--selinux-user</option> <replaceable>SELINUX-" -"ANVÄNDARE</replaceable>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#: sss_groupshow.8.xml:47 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -"SELinux-användaren för användarens inloggning. Om det inte anges används " -"systemstandarden." +"Skriv även ut indirekta gruppmedlemmar i en trädliknande hierarki. " +"Observera att detta även påverkar utskriften av föräldragrupper – utan " +"<option>R</option> kommer endast dem direkta föräldern skrivas ut." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" -msgstr "SSSD:s Kerberos-leverantör" +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "ändra ett användarkonto" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"Denna manualsida beskriver konfigurationen av bakänden för Kerberos 5-" -"autentisering för <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. För en detaljerad syntaxreferens, " -"se avsnittet <quote>FILFORMAT</quote> i manualsidan <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</" +"replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_usermod.8.xml:32 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"Kerberos 5-autentiseringsbakänden innehåller auth- och chpass-leverantörer. " -"Den måste paras ihop med en identitetsleverantör för att fungera korrekt " -"(till exempel, id_provider = ldap). En del information krävs av Kerberos 5-" -"autentiseringsbakänden måste tillhandahållas av identitetsleverantören, " -"såsom användarens Kerberos huvudmannanamn (UPN). Konfigurationen av " -"identitetsleverantören skall ha en post för att ange UPN:en. Se manualsidan " -"för den tillämpliga identitetsleverantören för detaljer om hur man " -"konfigurerar detta." +"<command>sss_usermod</command> ändrar kontot som anges av " +"<replaceable>INLOGGNINGSNAMN</replaceable> till att avspegla ändringarna som " +"anges på kommandoraden." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." -msgstr "" -"Denna bakände tillhandahåller även åtkomstkontroll baserad på filen .k5login " -"i användarens hemkatalog Se <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> för mer detaljer. " -"Observera att en tom .k5login-fil kommer neka all åtkomst till denna " -"användare. För att aktivera denna funktion, använd ”access_provider = krb5” " -"i din SSSD-konfiguration." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "Användarkontots hemkatalog." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "Användarens inloggningsskal." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" -"I situationer där UPN:en inte är tillgänglig i identitetsbakänden kommer " -"<command>sssd</command> konstruera en UPN genom att använda formatet " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"Lägg till denna användare till grupperna som anges av parametern " +"<replaceable>GRUPPER</replaceable> parameter. Parametern " +"<replaceable>GRUPPER</replaceable> är en kommaseparerad lista av gruppnamn." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -"Anger en kommaseparerad lista av IP-adresser eller värdnamn till " -"Kerberosservrar till vilka SSSD skall ansluta, i prioritetsordning. För mer " -"information om reserver och serverredundans se avsnittet <quote>RESERVER</" -"quote>. Ett frivilligt portnummer (föregånget av ett kolon) kan läggas till " -"till adresserna eller värdnamnen. Om tomt aktiveras tjänsteupptäckt; för " -"mer information, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>." +"Ta bort denna användare från grupperna som anges av parametern " +"<replaceable>GRUPPER</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Lås användarkontot. Användare kommer inte kunna logga in." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Lås upp användarkontot." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "SELinux-användaren för användarens inloggning." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--addattr</option> <replaceable>ATTR_NAMN_VÄRDE</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Lägg till ett attribut/värde-par. Formatet är attrnamn=värde." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--setattr</option> <replaceable>ATTR_NAMN_VÄRDE</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"Namnet på Kerberos-riket. Detta alternativ är nödvändigt och måste anges." +"Sätt ett attribut till ett namn/värde-par. Formatet är attrnamn=värde. För " +"flervärda attribut ersätter kommandot de värden som redan finns" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--delattr</option> <replaceable>ATTR_NAMN_VÄRDE</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Ta bort ett attribut/värde-par. Formatet är attrnamn=värde." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "utför cacherensning" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -"Om tjänsten för att ändra lösenord inte kör på KDC:n kan alternativa servrar " -"definieras här. Ett frivilligt portnummer (föregått av ett kolon) kan " -"läggas till efter adresser eller värdnamn." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -"För mer information om reserver och serverredundans se avsnittet " -"<quote>RESERVER</quote>. OBSERVERA: även om det inte finns några fler " -"kpasswd-servrar att försöka med byter inte bakänden till att köra " -"frånkopplat om autenticering mot KDC:n fortfarande är möjligt." +"<command>sss_cache</command> invalidrtst poster i SSSD-cachen. Invaliderade " +"poster måste hämtas om från servern så fort den tillhörande SSSD-bakänden är " +"ansluten. Flaggor som invaliderar ett enstaka objekt tar bara ett ensamt " +"argument." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Standard: använd KDC:n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "Invalidera alla cachade poster." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" -"Katalog att lagra kreditiv-cachar i. Alla substitutionssekvenserna i " -"krb5_ccname_template kan användas här också, utom %d och %P. Katalogen " -"skapas som privat och ägd av användaren, med rättigheterna satta till 0700." +"<option>-u</option>,<option>--user</option> <replaceable>inloggning</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Standard: /tmp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalidera en viss användare." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"Invalidera alla användarposter. Detta alternativ åsidosätter invalidering " +"av en viss användare om det också angavs." -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "inloggningsnamn" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>grupp</replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Invalidera en viss grupp." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "inloggnings-UID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"Invalidera alla grupposter. Detta alternativ åsidosätter invalidering av en " +"viss grupp om det också angavs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "huvudmannanamn" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>nätgrupp</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Invalidera en viss nätgrupp." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "namn på rike" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"Invalidera alla nätgruppsposter. Detta alternativ åsidosätter invalidering " +"av en viss nätgrupp om det också angavs." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "hemkatalog" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>tjänst</" +"replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Invalidera en viss tjänst." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" -msgstr "värdet på krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"Invalidera alla tjänsteposter. Detta alternativ åsidosätter invalidering av " +"en viss tjänst om det också angavs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" -msgstr "process-ID:t på SSSD-klienten" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-" +"översättning</replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalidera specifika autofs-översättningar." -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "ett bokstavligt ”%”" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" -"Platsen för användarens kreditiv-cache. Tre typer av kreditiv-cacher stödjs " -"för närvarande: <quote>FIEL</quote>, <quote>DIR</quote> och <quote>KEYRING:" -"persistent</quote>. Cachen kan anges antingen som <replaceable>TYP:" -"ÅTERSTOD</replaceable>, eller som en absolut sökväg, vilket implicerar typen " -"<quote>FILE</quote>. I mallen ersätts följande sekvenser: <placeholder type=" -"\"variablelist\" id=\"0\"/> Om mallen slutar med ”XXXXXX” används mkstemp(3) " -"för att skapa ett unikt filnamn på ett säkert sätt." +"Invalidera alla autofs-översättningar. Detta alternativ åsidosätter " +"invalidering av en viss översättning om det också angavs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" -"När KEYRING-typer används är den enda mekanismen som stödjs <quote>KEYRING:" -"persistent:%U</quote>, vilket använder Linuxkärnans nyckelring för att lagra " -"kreditiv på per-UID-bas. Detta är också det rekommenderade valet, eftersom " -"det är den säkraste och mest förutsägbara metoden." +"<option>-h</option>,<option>--ssh-host</option> <replaceable>värdnamn</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "Invalidera publika SSH-nycklar för en viss värd." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "<option>-H</option>,<option>--ssh-hosts</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" -"Standardvärdet för namnet på kreditiv-cachen läses från profilen som fil " -"sparad i den systemtäckande konfigurationsfilen krb5.conf i avsnittet " -"[libdefaults]. Alternativnamnet är default_ccache_name. Se krb5.conf(5)s " -"avsnitt PARAMETEREXPANSION för mer information om expansionsformatet som " -"definieras av krb5.conf." +"Invalidera publika SSH-nycklar för alla värdar. Detta alternativ " +"åsidosätter invalidering av SSH-nycklar för en viss värd om det också angavs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" -"OBSERVERA: var medveten om att ccache-expansionsmallen för libkrb5 från " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> använder andra expansionssekvenser än SSSD." +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>regel</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" -msgstr "Standard: (från libkrb5)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "Invalidera en viss sudo-regel." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (heltal)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "<option>-R</option>,<option>--sudo-rules</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -"Tidsgräns i sekunder efter vilken en uppkopplad begäran om autentisering " -"eller begäran om lösenordsändring avbryts. OM möjligt fortsätts begäran om " -"autentisering frånkopplat." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (boolean)" +"Invalidera alla cachade sudo-regler. Detta alternativ åsidosätter " +"invalidering av en viss sudo-regel om det också angavs." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" -"Verifiera med hjälp av krb5_keytab att den TGT om hämtats inte har " -"förfalskats. I keytab:en kontrolleras poster sekvensiellt, och den första " -"posten med ett matchande rike används för validering. Om ingen post machar " -"riket används den sista posten i keytab:en. Denna process kan användas för " -"att validera miljöer genom att använda förtroenden mellan riken genom att " -"placera den motsvarande keytab-posten som sista post eller den enda posten i " -"keytab-filen." +"<option>-d</option>,<option>--domain</option> <replaceable>domän</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Begränsa invalideringsprocessen till endast en viss domän." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "[föråldrad] ändra felsökningsnivå medan SSSD kör" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -"Platsen där keytab:en som skall användas för validering av kreditiv som tas " -"emot från KDC:er finns." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>NY_FELSÖKNINGSNIVÅ</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Standard: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" +"<command>sss_debuglevel</command> är föråldrat och ersatt av kommandot " +"sssctl debug-level. Se manualsidan <command>sssctl</command> för mer " +"information om användning av sssctl." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "initiera SSSD-cachen med en användare" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -"Spara lösenordet för användaren om leverantören är frånkopplad och använd " -"det för att begära en TGT när leverantören blir uppkopplad igen." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMÄN</replaceable></" +"arg> <arg choice='plain'>-n <replaceable>ANVÄNDARE</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" -"OBS: denna funktion är endast tillgänglig på Linux. Lösenord som lagras på " -"detta sätt hålls i klartext i kärnans nyckelring och är potentiellt " -"åtkomliga för root-användaren (med svårighet)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (sträng)" +"<command>sss_seed</command> initierar SSSD-cachen med en användarpost och " +"tillfälligt lösenord. Om en användarpost redan finns i SSSD-cachen " +"uppdateras den posten med det tillfälliga lösenordet." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -"Begär en förnybar biljett med en total livslängd, given som ett heltal " -"omedelbart följd av en tidsenhet:" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMÄN</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "<emphasis>s</emphasis> för sekunder" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Ange namnet på domänen i vilken användaren är en medlem. Domänen används " +"också för att hämta användarinformation. Tomänen måste vara konfigurerad i " +"sssd.conf. Alternativet <replaceable>DOMÄN</replaceable> måste anges. " +"Information som hämtas från domänen åsidosätter vad som anges i flaggorna." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "<emphasis>m</emphasis> för minuter" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>ANVÄNDARE</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "<emphasis>h</emphasis> för timmar" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"Användarnamnet på posten som skall skapas eller ändras i cachen. Flaggan " +"<replaceable>ANVÄNDARE</replaceable> måste anges." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "<emphasis>d</emphasis> för dagar." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Sätt användarens AID till <replaceable>AID</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." -msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Sätt användarens GID till <replaceable>GID</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." -msgstr "" -"OBSERVERA: det är inte möjligt att blanda enheter. För att sätta den " -"förnybara livslängden till en och en halv timma, använd ”90m” istället för " -"”1h30m”." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" -msgstr "Standard: inte satt, d.v.s. TGT:en är inte förnybar" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "Sätt användarens hemkatalog till <replaceable>HEMKAT</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "Sätt användarens inloggningsskal till <replaceable>SKAL</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" -"Begär en biljett med en livslängd, given som ett heltal omedelbart följd av " -"en tidsenhet:" +"Interaktivt läge för att ange användarinformation. Detta alternativ kommer " +"bara att fråga efter information som inte angävs med flaggor eller hämtades " +"från domänen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." -msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> <replaceable>LÖSENFIL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -"OBSERVERA: det är inte möjligt att blanda enheter. För att sätta " -"livslängden till en och en halv timma, använd ”90m” istället för ”1h30m”." +"Ange filen att läsa användarnas lösenord ifrån. (om inte angivet " +"efterfrågas lösenord)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -"Standard: inte satt, d.v.s. biljettens stanardlivsläng konfigurerad på KDC:n." +"Längden på lösenordet (eller storleken på filen som anges med flaggan -p " +"eller --password-file) måste vara mindre eller lika med PASS_MAX byte (64 " +"byte på system utan något globalt definierat PASS_MAX-värde)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" -msgstr "krb5_renew_interval (sträng)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "SSSD InfoPipe-respondent" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Tiden i sekunder mellan två kontroller om TGT:en skall förnyas. TGT:er " -"förnyas om ungefär halva deras livstid har överskridits, givet som ett " -"heltal omedelbart följt av en tidsenhet:" +"Denna manualsida besriver konfigurationen av InfoPipe-respondenten till " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " +"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -"Om detta alternativ inte är satt eller är 0 är den automatiska förnyelsen " -"avaktiverad." +"InfoPipe-respondenten tillhandahåller ett publikt D-Bus-gränssnitt åtkomligt " +"över systembussen. Gränssnittet låter användaren att fråga efter " +"information om fjärranvändare och -grupper över systembussen." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (sträng)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" +"Dessa alternativ kan användas för att konfigurera InfoPipe-respondenten." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -"Aktiverar flexibel autentisering via säker tunnling (flexible authentication " -"secure tunneling, FAST) för Kerberos förautentisering. Följande alternativ " -"stödjs:" +"Anger den kommaseparerade listan av UID-värden eller användarnamn som " +"tillåts använda InfoPipe-respondenten. Användarnamn slås upp till UID:er " +"vid uppstart." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -"<emphasis>never</emphasis> använd aldrig FAST. Detta är ekvivalent med att " -"inte ställa in denna This is ekvivalent med att inte sätta detta alterinativ " -"alls." +"Standard: 0 (endast root-användaren tillåts komma åt InfoPipe-respondenten)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -"<emphasis>try</emphasis> försök använda FAST. Om servern inte stödjer FAST, " -"fortsätt då autentiseringen utan den." +"Observera att även om UID 0 används som standard kommer det att skrivas över " +"av detta alternativ. Om du fortfarande vill tillåta root-användaren att " +"komma åt InfoPipe-respondenten, vilket man typiskt vill, måste du lägga till " +"även 0 i listan av tillåtna UID:er." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 -msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -"<emphasis>demand</emphasis> kräv användning av FAST. Autentiseringen " -"misslyckas om servern inte begär fast." +"Anger den kommaseparerade listan över vit- eller svartlistade attribut." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." -msgstr "Standard: inte satt, d.v.s. FAST används inte." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." -msgstr "OBSERVERA: en keytab krävs för att använda FAST." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "användarens inloggningsnamn" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." -msgstr "" -"OBSERVERA: SSSD stödjer endast FAST med MIT Kerberos version 1.8 och " -"senare. Om SSSD används med en äldre version av MIT Kerberos är det ett " -"konfigurationsfel att använda detta alternativ." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "användar-ID" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." -msgstr "Anger serverhuvudmannen att använda för FAST." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 -msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." -msgstr "" -"Anger om värdens och användarens huvudman skall göras kononisk. Denna " -"funktion är tillgänglig med MIT Kerberos 1.7 och senare versioner." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "primär grupps ID" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" -msgstr "krb5_kdcinfo_lookahead (sträng)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "användarinformation, normalt fullständigt namn" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "användarens skal" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -"När krb5_use_kdcinfo är satt till true kan man begränsa mängden servrar som " -"skcikas till <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. Detta kan vara " -"användbart när det finns för många servrar som upptäcks med hjälp av SRV-" -"poster." +"Som standard tillåter bara InfoPipe-respondenten att standarduppsättningen " +"av POSIX-attribut begärs. Denna uppsättning är densamma som returneras av " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> och inkluderar: <placeholder type=\"variablelist" +"\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 -#, fuzzy -#| msgid "" -#| "The krb5_kdcinfo_lookahead option contains two numbers seperated by a " -#| "colon. The first number represents number of primary servers used and the " -#| "second number specifies the number of backup servers." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -"Alternativet krb5_kdcinfo_lookahead innehåller två tal separerade av ett " -"kolon. Det första talet representerar antalet primärservrar som används och " -"det andra talet anger antalet reservservrar." +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -#| "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. but no backup " -#| "servers." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Det är möjligt att lägga till ett annat attribut till denna uppsättning " +"genom att använda <quote>+attrnamn</quote> eller uttryckligen ta bort ett " +"attribut genom att använda <quote>-attrnamn</quote>. Till exempel, för att " +"tillåta <quote>telephoneNumber</quote> men neka <quote>loginShell</quote> " +"skulle man använda följande konfiguration: <placeholder type=\"programlisting" +"\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -"Till exempel betyder <emphasis>10:0</emphasis> att upp till 10 primärservrar " -"kommer lämnas till<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. men inga " -"reservservrar." +"Standard: inte satt. Endast standaruppsättningen av POSIX-attribut är " +"tillåtna." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" -msgstr "Standard: 3:1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" +"Anger en övre gräns på antalet poster som hämtas under en uppslagning med " +"jokertecken som åsidosätter gränsen anroparen tillhandahåller." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" -msgstr "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "Standard: 0 (låt anroparen sätta en övre gräns)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -"Anger om användarens huvudman skall behandlas som företagshuvudman. Se " -"avsnitt 5 i RFC 6806 för mer detaljer om företagshuvudmän." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Utvecklare (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Utvecklare (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" -msgstr "Standard: false (AD-leverantör: true)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "sss_rpcidmapd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "sss insticksmoduls konfigurationsdirektiv för rpc.idmapd" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "KONFIGURATIONSFIL" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -"IPA-leverantören kommer sätta detta alternativ till ”true” om den upptäcker " -"att servern klarar av att hantera företagshuvudmän och alternativet inte är " -"uttryckligen satt i konfigurationsfilen." +"rpc.idmapd konfigurationsfil finns vanligen som <emphasis>/etc/idmapd.conf</" +"emphasis>. Se <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> för mer information." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" -msgstr "krb5_map_user (sträng)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "SSS-KONFIGURATIONSUTVIDGNING" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "Aktivera SSS-insticksmodul" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -"Listan av mappningar anges som en kommaseparerad lista av par " -"<quote>användarnamn:primär</quote> där <quote>användarnamn</quote> är ett " -"UNIX-användarnamn och <quote>primär</quote> är en användardel av en " -"kerberoshuvudman. Denna mappning används när användaren autentiserar med " -"<quote>auth_provider = krb5</quote>." +"I avsnittet <quote>[Translation]</quote>, ändra/sätt attributet " +"<quote>Method</quote> till att innehålla <emphasis>sss</emphasis>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "[sss] konfigurationsavsnitt" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -"krb5_realm = RIKE\n" -"krb5_map_user = maria:manvnd,hasse:hans\n" +"För att ändra standardvärdet på ett av konfigurationsattributen för " +"insticksmodulen <emphasis>sss</emphasis> som räknas upp nedan behöver man " +"skapa ett konfigurationsavsnitt för den, med namnet <quote>[sss]</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 -msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "Konfigurationsattribut" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "memcache (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" -"<quote>maria</quote> och <quote>hasse</quote> är UNIX-användarnamn och " -"<quote>manvnd</quote> och <quote>hans</quote> är primärer i " -"kerberoshuvudmän. För användaren <quote>maria</quote> resp. <quote>hasse</" -"quote> kommer SSSD försöka att göra kinit som <quote>manvndr@RIKE</quote> " -"resp. <quote>hans@RIKE</quote>." +"Indikerar huruvida optimeringstekniken memcache skall användas eller inte." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "SSSD-INTEGRATION" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sss_rpcidmapd.5.xml:87 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -"Om autentiseringsodulen krb5 används in en SSD-domän måste följande " -"alternativ användas. Se manualsidan <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, avsnittet " -"<quote>DOMÄNSEKTIONER</quote> för detaljer om konfigurationen av en SSSD-" -"domän. <placeholder type=\"variablelist\" id=\"0\"/>" +"Insticksmodulen sss att <emphasis>NSS-respondenten</emphasis> är aktiverad i " +"sssd." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sss_rpcidmapd.5.xml:91 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -"Följande exempel antar att SSSD är korrekt konfigurerard och att APA är en " -"av domänerna i avsnittet <replaceable>[sssd]</replaceable>. Detta exempel " -"visar endast konfigurationen av Kerberosautentisering; det inkluderar inte " -"någon identitetsleverantör." +"Attributet <quote>use_fully_qualified_names</quote> måste aktiveras i alla " +"domäner (NFSv4-klienter förväntar sig att ett fullständigt kvalificerat namn " +"skickas över tråden)." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sss_rpcidmapd.5.xml:103 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" -msgstr "" -"[domain/APA]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXEMPEL.SE\n" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "skapa en ny grupp" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 -msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>flaggor</" -"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></" -"arg>" +"[General]\n" +"Verbosity = 2\n" +"# domänen måste synkroniseras mellann NFSv4-servern och -klienter\n" +"# Solaris/Illumos/AIX använder \"localdomain\" som standard!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sss_rpcidmapd.5.xml:100 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<command>sss_groupadd</command> skapar en ny grupp. Dessa grupper är " -"kompatibla med POSIX-grupper, med den ytterligare funktionen att de kan " -"innehålla andra grupper som medlemmar." +"Följande exempel visar en minimal idmapd.conf som använder insticksmodulen " +"sss. <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" -msgstr "" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "SE ÄVEN" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "" +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "" +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "hämta auktoriserade OpenSSH-nycklar" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>flaggor</replaceable> </arg> <arg " +"choice='plain'><replaceable>ANVÄNDARE</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" +"<command>sss_ssh_authorizedkeys</command> hämtar publika SSH-nycklar för " +"användaren <replaceable>ANVÄNDARE</replaceable> och skriver ut dem t " +"formatet för OpenSSH authorized_keys (se avsnittet <quote>AUTHORIZED_KEYS-" +"FILFORMAT</quote> i <citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> för mer information)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> kan konfigureras till att använda " +"<command>sss_ssh_authorizedkeys</command> för autentisering med användares " +"publika nyckel om den är kompilerad med stöd för alternativet " +"<quote>AuthorizedKeysCommand</quote>. Se manualsidan <citerefentry> " +"<refentrytitle>sshd_config</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> för mer detaljer om detta alternativ." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" +"Om <quote>AuthorizedKeysCommand</quote> stödjs kan " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> konfigureras för att använda den genom att lägga in följande " +"direktiv <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "NYCKLAR FRÅN CERTIFIKAT" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" +"Utöver de publika SSH-nycklarna för användaren <replaceable>ANVÄNDARE</" +"replaceable> kan <command>sss_ssh_authorizedkeys</command> även returnera " +"publika SSH-nycklar härledda från den publika nyckeln i ett X.509-certifikat." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" +"För att aktivera måste alternativet <quote>ssh_use_certificate_keys</quote> " +"sättas till true (standard) i avsnittet [ssh] av <filename>sssd.conf</" +"filename>. Om användarposten innehåller certifikat (se " +"<quote>ldap_user_certificate</quote> i <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> för detaljer) " +"eller det finns ett certifikat i en åsidosättande post för användaren (se " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> eller <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> för detaljer) och " +"certifikatet är giltigt kommer SSSD extrahera den publika nyckeln från " +"certifikatet och konvertera den till formatet som sshd förväntar sig." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "Vid sidan av <quote>ssh_use_certificate_keys</quote> kan alterntiven" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "ca_db" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "p11_child_timeout" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 -msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "certificate_verification" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" +"användas för att styra hur certifikaten valideras (se " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> för detaljer)." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" +"Valideringen är fördelen med att använda X.509-certifikat istället för att " +"använda SSH-nycklar direkt för att det t.ex. ger en bättre kontroll över " +"livslängden hos nycklarna. När ssh-klienten är konfigurerad att använda de " +"privata nycklarna från ett smartkort med hjälp av det delade PKCS#11-" +"biblioteket (se <citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> för detaljer) kan det vara " +"irriterande att autentiseringen fortfarande fungerar även om det tillhörande " +"X.509-certifikatet på smartkortet redan har gått ut eftersom varken " +"<command>ssh</command> eller <command>sshd</command> kommer titta på " +"certifikatet över huvud taget." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" +"Det måste påpekas att den härledda publika SSH-nyckeln fortfarande kan " +"läggas till i användarens fil <filename>authorized_keys</filename> för att " +"gå runt certifikatvalideringen om konfigurationen av <command>sshd</command> " +"tillåter detta." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" +"Sök efter användares publika nycklar i SSSD-domänen <replaceable>DOMÄN</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "SLUTSTATUS" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." -msgstr "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "Om det lyckas returneras 0 som slutstatus. Annars returneras 1." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "" +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "" +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "hämta OpenSSH-värdnycklar" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#: sss_ssh_knownhostsproxy.1.xml:21 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>flaggor</replaceable> </arg> <arg " +"choice='plain'><replaceable>VÄRD</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY-KOMMANDO</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 -msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +"<command>sss_ssh_knownhostsproxy</command> hämtar publika SSH-värdnycklar " +"för värden <replaceable>VÄRD</replaceable>, lagar dem i en anpassad OpenSSH-" +"known_hosts-fil (se avsnittet <quote>SSH_KNOWN_HOSTS-FILFORMAT</quote> i " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> för mer information) <filename>/var/lib/sss/pubconf/" +"known_hosts</filename> och upprättar anslutningen till värden." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" +"Om <replaceable>PROXY-KOMMANDO</replaceable> anges används det för att skapa " +"anslutningen till värden istället för att öppna ett uttag." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> kan konfigureras till att använda " +"<command>sss_ssh_knownhostsproxy</command> för värdnyckelautentisering genom " +"att använda följande direktiv i konfigurationen av " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry>: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" +"Använd porten <replaceable>PORT</replaceable> för att ansluta till värden. " +"Som standard används port 22." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" +"Sök efter värdars publika nycklar i SSSD-domänen <replaceable>DOMÄN</" +"replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "" +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" +msgstr "<option>-k</option>,<option>--pubkey</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" +"Skriv ut värdens publika ssh-nycklar för värden <replaceable>VÄRD</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "idmap_sss" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "SSSD:s idmap_sss-bakände för Winbind" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" +"Modulen idmap_sss tillhandahåller ett sätt att anropa SSSD för att översätta " +"UID:er/GID:er och SID:er. Ingen databas behöv i detta fall eftersom " +"översättningen görs av SSSD." + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "IDMAP-ALTERNATIV" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "" +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "range = låg - hög" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" +"Definierar de tillgängliga matchnings-UID- och GID-intervallen som bakänden " +"är auktoritativ för." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" +"Detta exempel visar hur man konfigurerar idmap_sss som " +"standardöversättningsmodulen." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMÄNKORTNAMN>\n" +"\n" +"idmap config <AD-DOMÄNKORTNAMN> : backend = sss\n" +"idmap config <AD-DOMÄNKORTNAMN> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" +"Ersätt <AD-DOMÄNKORTNAMN> med NetBIOS-domännamnet för AD-domänen. Om " +"flera AD-domäner skall användas behöver varje domän en <literal>idmap " +"config</literal>-rad med <literal>backend = sss</literal> och en rad med ett " +"lämpligt <literal>range</literal>." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: idmap_sss.8.xml:69 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" +"Eftersom Winbind kräver en skrivbar standardbakände och idmap_sss endast är " +"läsbar inkluderar exemplet <literal>backend = tdb</literal> som standard." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "sssctl" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "SSSD kontroll- och statusverktyg" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" +"<command>sssctl</command> <arg choice='plain'><replaceable>KOMMANDO</" +"replaceable></arg> <arg choice='opt'> <replaceable>flaggor</replaceable> </" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" +"<command>sssctl</command> tillhandahåller ett enkelt och enhetligt sätt att " +"få information om SSSD:s status, såsom aktiv server, automatupptäckta " +"servrar, domäner och cachade objekt. Dessutom kan det hantera SSSD:s " +"datafiler för felsökning på ett sådant sätt att det är säkert att hantera " +"medan SSSD kör." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" +"För att lista alla tillgängliga kommandon, kör <command>sssctl</command> " +"utan några parametrar. För att skriva ut hjälp om ett valt kommando, kör " +"<command>sssctl KOMMANDO --help</command>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "sssd-files" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "SSSD:s filleverantör" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Denna manualsida besriver filleverantören till <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " +"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" +"Filleverantören gör speglar innehållet i filerna <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> och <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Syftet med filleverantören är att " +"göra användarna och grupperna som traditionellt bara är tillgångliga via NSS-" +"gränssnitt även tillgängliga via SSSD-gränssnitten såsom <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 +msgid "" +"Another reason is to provide efficient caching of local users and groups." msgstr "" +"Ett annat skäl är att tillhandahålla effektiv cachning av lokala användare " +"och grupper." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 +msgid "" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" +"Observera att en del distributioner aktiverar fildomänen automatiskt, och " +"lägger domänen före alla explicit konfigurerade domäner. Se " +"enable_files_domain i <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" +"SSSD hanterar aldrig uppslagning av användaren/gruppen ”root”. " +"Uppslagningen av UID/GID 0 hanteras inte heller av SSSD. Sådana begäranden " +"skickas till nästa NSS-modul (vanligen filer)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" +"När SSSD inte kör eller svarar retunerar nss_sss koden UNAVAIL som får " +"begäran att skickas vidare till nästa modul." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "passwd_files (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" +"Kommaseparerad lista av ett eller flera namn på lösenordsfiler att läsa och " +"räkna upp av filleverantören, inotify-övervakningsvakter kommer att sättas " +"på varje fil för att upptäcka ändringar dynamiskt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" +msgstr "Standard: /etc/passwd" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "group_files (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" +"Kommaseparerad lista av ett eller flera namn på gruppfiler att läsa och " +"räkna upp av filleverantören, inotify-övervakningsvakter kommer att sättas " +"på varje fil för att upptäcka ändringar dynamiskt." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "Standard: /etc/group" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"Utöver de alternativ som räknas upp nedan kan generella SSD-domänalternativ " +"sättar där de är tillämpliga. Se <quote>DOMÄNSEKTIONER</quote> i " +"manualsidan <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> för detaljer om konfigurationen av " +"en SSSD-domän. Men syftet med leverantören files är att exponera samma data " +"som UNIX-filerna, bara via gränssnitten för SSSD. Därför stödjs inte alla " +"generella domänalternativ. På samma sätt har några globala alternativ, " +"såsom att åsidosätta skalet i avsnittet <quote>nss</quote> för alla domäner " +"ingen effekt på domänen files om det inte anges uttryckligen per domän. " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" +"Följande exempel antar att SSSD är korrekt konfigurerat och att files är en " +"av domänerna i avsnittet <replaceable>[sssd]</replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" msgstr "" +"[domain/files]\n" +"id_provider = files\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" +"För att dra nytta av SSSD:s cachning av lokala användare och grupper måste " +"modulen nss_sss listas före modulen nss_files i /etc/nsswitch.conf." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"passwd: sss files\n" +"group: sss files\n" msgstr "" +"passwd: sss files\n" +"group: sss files\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "sssd-secrets" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "SSSD Secrets-respondent" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Denna manualsida besriver konfigurationen av Secrets-respondenten till " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " +"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" +"Många system och användarprogram behöver lagra privat information såsom " +"lösenord eller tjänstenycklar och har inget bra sätt att ta hand om dem " +"ordentligt. Den enkla vägen är att bädda in dessa <quote>hemligheter</" +"quote> i konfigurationsfiler där de potentiellt kan komma att exponera " +"känslig nyckelinformation till säkerhetskopior, " +"konfigurationshanteringssystem och gör det i allmänhet svårare att säkra " +"datan." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" +"Projektet <ulink url=\"https://github.com/latchset/custodia\">custodia</" +"ulink> föddes för att ta hand om detta problem i molnlika miljöer, men vi " +"tyckte att idén var övertygande även på nivån av enstaka system. Som en " +"säkerhetstjänst är SSSD ideal för att hantera denna funktionalitet och och " +"samtidigt erbjuda samma API via ett UNIX-uttag. Detta kommer göra det " +"möjligt att använda lokala anrop och få dem dirigerade transparent till ett " +"lokalt eller fjärran nyckelhanteringslager såsom IPA Vault för lagring, " +"deponering och återhämtning." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" +"Hemligheterna är enkla nyckel-värde-par. Varje användares hemligheter " +"ligger i en namnrymd efter deras användar-ID, vilket betyder att hemligheter " +"aldrig kommer kollidera mellan användare. Hemligheter kan lagras inuti " +"<quote>behållare</quote> som kan nästas." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "secrets" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "hemligheter för allmän användning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "kcm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" +"används av tjänsten <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"Eftersom secrets-respondenten kan användas både externt för att lagra " +"allmänna hemligheter, såsom beskrives i resten av den här manualsidan, men " +"också intern av andra SSSD-komponenter för att lagra deras material kan " +"några konfigurationsalternativ, som kvoter konfigureras per <quote>svärm</" +"quote> i ett konfigurationsavsnitt namngivet efter svärmen. De svärmar som " +"stödjs för närvarande är: <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "ANVÄNDA SECRETS-REPONDENTEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" +"UNIX-uttaget SSSD-responenten lyssnar på finns på <filename>/var/run/secrets." +"socket</filename>." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" +"Secrets-respondenten är uttagsaktiverad av <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Till skillnad mot andra SSSD-respondedenter, den kan inte " +"startas genom att lägga till strängen <quote>secrets</quote> till direktivet " +"<quote>service</quote>. Systemd-uttagsenheten heter <quote>sssd-secrets." +"socket</quote> och den motsvarande tjänstefilen heter <quote>sssd-secrets." +"service</quote>. För att tjänsten skall vara uttagsaktiverad, se till att " +"uttaget är aktiverat och aktivt och att tjänsten är aktiverad: <placeholder " +"type=\"programlisting\" id=\"0\"/> Pbservera att dom dostrobitopm redan kan " +"ha konfigurerat enheterna åt dig." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" +"De allmänna alternativen för SSSD-respondenter såsom <quote>debug_level</" +"quote> eller <quote>fd_limit</quote> accepteras av secrets-respondenten. Se " +"manualsidan <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> för en fullständig lista. Dessutom " +"finns det några secrets-specifika alternativ också." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" +"Secrets-respondenten är konfigurerad i ett global avsnitt <quote>[secrets]</" +"quote> och ett valfritt avsnitt per användare <quote>[secrets/users/$uid]</" +"quote> i <filename>sssd.conf</filename>. Observera att några alternativ, " +"speciellt leverantörstypen, bara kan anges i underavsnitt per användare." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "provider (sträng)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "local" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" +"Hemligheterna sparas i en lokal databas, krypterad i vila med en " +"huvudnyckel. Den lokal leverantören har inte några ytterligare " +"konfigurationsalternativ för tillfället." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "proxy" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" +"Secrets-respondenten vidarebefordrar begäranden till en Custodia-server. " +"Proxy-leverantören stödjer flera ytterligare alternativ (se nedan)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" +"Alternativet anger var hemligheterna skall sparas. Secrets-respondenten kan " +"konfigurera ett underavsnitt per användare (t.ex. <quote>[secrets/" +"users/123]</quote> – se slutet av denna manualsida för ett fullständigt " +"exempel som använder Custodia för en viss användare) som definierar vilken " +"leverantör som sparar hemligheterna för denna specifika användare. " +"Underavsnittet per användare skall innehålla alla alternativ för den " +"användarens leverantör. Observera att för närvarande är alltid den globala " +"leverantören lokal, proxy-leverantören kan endast anges i ett avsnitt per " +"användare. Följande leverantörer stödjs: <placeholder type=\"variablelist\" " +"id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "Standard: local" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" +"Följande alternativ påverkar endast hemlighets-<quote>svärmen</quote> och " +"skall därför sättas i ett underavsnitt per svärm. Att sätta alternativet " +"till 0 betyder ”obegränsat”." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 -msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" -msgstr "" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "containers_nest_level (heltal)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 -msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." msgstr "" +"Detta alternativ specificerar det maximala antalet tillåtna nästlade " +"behållare." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" +msgstr "Standard: 4" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "max_secrets (heltal)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#: sssd-secrets.5.xml:207 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" +"Detta alternativ anger det maximala antalet hemligheter som kan sparas i " +"svärmen." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." -msgstr "" +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "Standard: 1024 (secrets-svärm), 256 (kcm-svärm)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "max_uid_secrets (heltal)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#: sssd-secrets.5.xml:219 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" +"Detta alternativ anger det maximala antalet hemligheter som kan sparas per " +"UID i svärmen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "Standard: 256 (secrets-svärm), 64 (kcm-svärm)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 -msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" -msgstr "" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "max_payload_size (heltal)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 -msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-secrets.5.xml:231 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" +"Detta alternativ anger den maximala laststorleken som tillåts för en " +"hemlighetslast i kilobyte." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "Standard: 16 (secrets-svärm), 65536 (64 MiB) (kcm-svärm)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-secrets.5.xml:241 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"Till exempel, för att justera kvoter olika för både svärmen <quote>secrets</" +"quote> och <quote>kcm</quote>, konfigurera följande: <placeholder type=" +"\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#: sssd-secrets.5.xml:252 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" +"Följande alternativ är endast användbara för konfigurationer som använder " +"leverantören <quote>proxy</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "proxy_url (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#: sssd-secrets.5.xml:260 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" +"URL:en Custodia-servern lyssnar på. För tillfället stödjs protokollen http " +"och https." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." -msgstr "" +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "http[s]://<värd>[:port]" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "Exempel: http://localhost:8080" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "auth_type (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" +"Metoden att använda vid autentisering mot en Custodia-server. Följande " +"autentiseringsmetoder stödjs:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "basic_auth" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" +"Autentisera med ett användarnamn och lösenord som satts i alternativen " +"<quote>username</quote> och <quote>password</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "header" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" +"Autentisera med ett HTTP-huvudvärde som det är definierat i " +"konfigurationsalternativen <quote>auth_header_name</quote> och " +"<quote>auth_header_value</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "auth_header_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" +"Om satt kommer secrets-respondenten lägga in ett huvud med detta namn i HTTP-" +"begäranden med värdet som definieras i konfigurationsalternativet " +"<quote>auth_header_value</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "Exempel: MITTHEMLIGANAMN" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "auth_header_value (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#: sssd-secrets.5.xml:323 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" +"Värdet sssd-secrets kommer använda till <quote>auth_header_name</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "Exempel: minhemlighet" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "forward_headers (lista av strängar)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" +"Listan över HTTP-huvuden att vidarebefordra till Custodia-servern " +"tillsammans med begäran" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "verify_peer (boolean)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-secrets.5.xml:347 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" +"Huruvida motpartens certifikat skall verifieras och vara giltigt om HTTPS-" +"protokollet används med proxy-leverantören." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "verify_host (boolean)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" +"Huruvida motpartens värdnamn måste stämma med värdnamnet i dess certifikat " +"om HTTPS-protokollet används med proxy-leverantören." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "capath (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-secrets.5.xml:372 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" +"Sökväg till katalogen som innehåller lagrade certifikatutfärdares " +"certifikat. Systemets stanardsökväg används om detta alternativ inte är " +"satt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "cacert (sträng)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" +"Sökväg till filen som innehåller serverns certifikatauktaritetscertifikat. " +"Om detta alternativ inte är satt, då slås CA:ns certifikat upp i " +"<quote>capath</quote>." -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "cert (sträng)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" +"Sökväg till filen som innehåller klientens certifikat om det krävs av " +"servern. Denna fil kan också innehålla en privat nyckel eller så kan den " +"privata nyckeln finnas i en separat fil som anges med <quote>key</quote>." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "key (sträng)" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "Sökväg till filen som innehåller klientens privata nyckel." #. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" -msgstr "" +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "ATT ANVÄNDA REST-API:ET" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-secrets.5.xml:424 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" +"Detta avsnitt listar tillgängliga kommandon och inkluderar exempel som " +"använder verktyget <citerefentry> <refentrytitle>curl</refentrytitle> " +"<manvolnum>1</manvolnum> </citerefentry>. Alla begäranden av proxy-" +"leverantören måste sätta huvudet Content Type till <quote>application/json</" +"quote>. Dessutom stödjer den lokala leverantören även att Content Type " +"sätts till <quote>application/octet-stream</quote>. Hemligheter sparade med " +"begäranden som sätter huvudet Content Type till <quote>application/octet-" +"stream</quote> base64-kodas när de lagras och avkodas när de hämtas, så det " +"är inte möjligt att lagra en hemlighet med en Content Type och hämta med en " +"annan. URI:n för hemligheter måste börja med <filename>/secrets/</filename>." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "Lista hemligheter" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" +"För att lista de tillängliga hemligheterna, skicka en HTTP GET-begäran med " +"ett avslutande snedstreck tillagt på behållarsökvägen." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "Hämta en hemlighet" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" +"För att läsa värdet på en enskild hemlighet, skicka en HTTP GET-begäran utan " +"ett avslutande snedstreck. Den sista delen av URI:n är namnet på " +"hemligheten." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/apa\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bepa\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" +"Exempel: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "Spara en hemlighet" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" +"För att spara en hemlighet med typen <quote>application/json</quote>, skicka " +"en HTTP PUT-begäran med en JSON-last som innehåller typ och värde. Typen " +"skall sättas till ”simple” och värdet skall sättas till hemlighetens värde. " +"Om en hemlighet med det namnet redan finns blir svaret ett 409 HTTP-fel." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" +"Typen <quote>application/json</quote> skickar bara hemligheten som " +"meddelandets last." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/apa \\\n" +" -d'{\"type\":\"simple\",\"value\":\"hemligapa\"}'\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bepa \\\n" +" -d'hemligbepa'\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" +"Följande exempel sparar en hemlighet som heter ”apa” till värdet ”hemligapa” " +"och en hemlighet som heter ”bepa” till värdet ”hemligbepa” genom att använda " +"en annan Content Type. <placeholder type=\"programlisting\" id=\"0\"/> " +"<placeholder type=\"programlisting\" id=\"1\"/>" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "Att skapa en behållare" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" +"Behållare tillhandahåller en ytterligare namnrymd för denna användarens " +"hemligheter. För att skapa en behållare, skicka en HTTP POST-begäran, vars " +"URI slutar med behållarnamnet. Observera att URI:n måste sluta med ett " +"avslutande snedstreck." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/minbeh%C3%A5llare/\n" +" " -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" +"Följande exempel skapar en behållare som heter ”minbehållare”:<placeholder " +"type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" +"http://localhost/secrets/minbeh%C3%A5llare/minhemlighet\n" +" " -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"För att hantera hemligheter under den här behållaren, nästa bara hemligheter " +"under behållarsökvägen: <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "Radera en hemlighet eller behållare" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" +"För att radera en hemlighet eller behållare, skicka en HTTP DELETE-begäran " +"med en sökväg till hemligheten eller behållaren." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/apa\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" +"Följande exempel raderar en hemlighet som heter ”apa”:<placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "EXEMPEL PÅ KONFIGURATION AV CUSTODIA- OCH PROXY-LEVERANTÖRER" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#: sssd-secrets.5.xml:565 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" +"För att testa proxy-leverantören behöver du sätta upp en Custodia-server att " +"vidarebefordra begäranden till. Se till att läsa dokumentationen till " +"Custdia, konfigurationsdirektiven kan ändras med olika Custidoa-versioner." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MITTHEMLIGANAMN\n" +"value = minhemliganyckel\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"Denna konfiguration kommer sätta upp en Custodia-server som lyssnar på " +"http://localhost:8080, tillåter vem som helst med ett huvd med namnet " +"MITTHEMLIGANAMN satt till minhemliganyckel att kommunicera med Custodia-" +"servern. Placera innehållet i en fil (till exempel, <replaceable>custodia." +"conf</replaceable>): <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" +"Kör sedan kommandot <replaceable>custodia</replaceable> och peka det på " +"konfigurationsfilen som ett kommandoradsargument." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" +"Observera att det för närvarande inte är möjligt att vidarebefordra alla " +"begäranden globalt till en Custodia-instans. Istället måste underavsnitt " +"per användare för användar-ID:n som skall skicka vidare begäranden till " +"Custodia definieras. Följande exempel illustrerar en konfiguration där " +"användaren med AID 123 skulle skicka vidare sina begäranden till Custodia, " +"men alla andra användares begäranden skulle hanteras av en lokal leverantör." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MITTHEMLIGANAMN\n" +"auth_header_value = minhemliganyckel\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "sssd-session-recording" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "Konfigurera sessionsinspelning med SSSD" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" +"Denna manualsider beskriver hur man konfigurerar <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"att fungera med <citerefentry> <refentrytitle>tlog-rec-session</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, en del av paketet " +"tlog, för att implementera inspelning av användarsessioner på en " +"textterminal. För en detaljerad referens till konfigurationssyntaxen, se " +"avsnittet <quote>FILE FORMAT</quote> av manualsidan <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" +"SSSD kan sättas upp för att möjliggöra inspelning av allting specifika " +"användare ser eller skriver under sina sessioner på en textterminal. T.ex., " +"när användare loggar in på konsolen, eller via SSH. SSSD själv spelar inte " +"in någonting, men ser till att tlog-rec-session startas när användaren " +"loggar in, så att den kan spela in enligt sin konfiguration." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" +"För användare med sessionsinspelning aktiverad ersätter SSSD avnändarens " +"skal med tlog-rec-session i NSS-svar, och lägger till en variabel som anger " +"det ursprungliga skalet till användarens miljö när PAM sätter upp " +"sessionen. På detta sätt kan tlog-rec-session startas istället för " +"användarens skal, och veta vilket faktiskt skal som skall startas när den " +"satt upp inspelningen." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 -msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "Dessa alternativ kan användas för att konfigurera sessionsinspelning." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" +"Följande snutt från sssd.conf gör det möjligt att spela in sessioner för " +"användarna ”konsult1” och ”konsult2” och gruppen ”studenter”." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" +"[session_recording]\n" +"scope = some\n" +"users = konsult1,konsult2\n" +"groups = studenter\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "" +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "sssd-kcm" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "" +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "SSSD Kerberos cache-hanterare" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" +"Denna manualsida beskriver konfigurationen av SSSD:s Kerberos cache-" +"hanterare (KCM). KCM är en process som lagrar, spårar och hanterar " +"Kerberoskreditiv-cacher. Det kommer från projekter Heimdal Kerberos, fast " +"biblioteket MIT Kerberos tillhandahåller även stöd för klientsidan (mer " +"detaljer om det nedan) av KCM-kreditiv-cachen." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#: sssd-kcm.8.xml:31 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" +"I en uppsättning där Kerberos cachar hanteras av KCM är Kerberosbiblioteket " +"(typiskt använt via ett program, som t.ex., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, en <quote>”KCM-klient\"</quote> och KCMdemonen refereras till " +"som en <quote>”KCM-server\"</quote>. Klienten och servern kommunicerar via " +"ett UNIX-uttag." #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 +#: sssd-kcm.8.xml:42 msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" +"KCM-servern håller reda på ägaren till varje kreditiv-cache och utför " +"åtkomstkontroller baserat på AID:t pcj GID:t på KCM-klienten. Root-" +"användaren hår åtkomst till alla kreditiv-cacher." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "KCM-kreditiv-cachen har flera intressanta egenskaper:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" +"eftersom processen kär i användarrymden är den föremål för AID-namrymder, " +"till skillnad mod kärnans nyckelring" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" +"till skillnad mot kärnans nyckelringsbaserade cache, som delas mellan alla " +"behållare, är KCM-servern en separat process vars ingångspunkt är ett UNIX-" +"uttag" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +#, fuzzy +#| msgid "" +#| "the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +#| "<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +#| "citerefentry> secrets store, allowing the ccaches to survive KCM server " +#| "restarts or machine reboots." msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" +"SSSD-implementationen sparar ccache:rna i SSSD:s hemlighetsförråd " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, vilket gör att ccache:rna kan överleva att KCM-" +"servern eller hela maskinen startas om." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:67 msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" +"Detta gör att systemet kan använda en samlingsmedveten kreditiv-cache, och " +"ändå dela kreditivcachen mellan några eller inga behållare genom " +"bindmontering av uttaget." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "ATT ANVÄNDA KCM-KREDITIV-CACHEN" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:76 msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" +"För att använda KCM-kreditiv-cachen måste den väljas som " +"standardkreditivtypen i <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Kreditiv-cachens " +"namn skall bara vara <quote>KCM:</quote> utan några mallexpansioner. Till " +"exempel: <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:89 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Se därefter till att Kerberos-klientbiblioteken och KCM-servern är överens " +"om sökvägen till UNIX-uttaget. Som standard använder båda samma sökväg " +"<replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. För att " +"konfigurera Kerberos-biblioteket, ändra dess alternativ <quote>kcm_socket</" +"quote> som beskrivs i manualsidan <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#: sssd-kcm.8.xml:100 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" +"Se slutligen till att SSSD KCM-servern kan kontaktas. KCM-tjänsten är " +"normalt uttagsaktiverad av <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Till skillnad mot " +"andra SSSD-tjänster kan den inte startas genom att lägga till strängen " +"<quote>kcm</quote> till direktivet <quote>service</quote>. <placeholder " +"type=\"programlisting\" id=\"0\"/> Observera att din distribution kanske " +"redan konfigurerar enheterna åt dig." #. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" -msgstr "" +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "KREDITIV-CACHE-LAGRINGEN" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" +"Kreditiv-cachen lagras i en databas, snarlikt hur SSSD cachar användar- " +"eller grupposter. Databasen finns normalt i <quote>/var/lib/sss/secrets</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" +msgstr "ATT FÅ TAG I FELSÖKNINGSLOGGAR" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" +"[kcm]\n" +"debug_level = 10\n" +" " -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 #, no-wrap msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +"systemctl restart sssd-kcm.service\n" +" " msgstr "" +"systemctl restart sssd-kcm.service\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#: sssd-kcm.8.xml:131 msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" +"Tjänsten sssd-kcm är normalt uttagsaktiverad av <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. För att skapa felsökningsloggar, lägg till följande antingen " +"direkt till filen <filename>/etc/sssd/sssd.conf</filename> eller som en " +"konfigurationssnutt till katalogen <filename>/etc/sssd/conf.d/</filename>: " +"<placeholder type=\"programlisting\" id=\"0\"/> Starta sedan om tjänsten " +"sssd-kcm: <placeholder type=\"programlisting\" id=\"1\"/> Kör slutligen det " +"användningsfall som inte fungerar. KCM-loggarana kommer skapas i <filename>/" +"var/log/sssd/sssd_kcm.log</filename>. Det rekommenderas att avaktivera " +"felsökningloggarna när man inte längre behöver informationen aktiverad " +"eftersom tjänsten sssd-kcm kan skapa en ganska stor mängd " +"felsökningsinformation." #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-kcm.8.xml:155 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" +"Observera att konfigurationssnuttar för närvarande endast behandlas om " +"huvudkonfigurationsfilen på <filename>/etc/sssd/sssd.conf</filename> över " +"huvud taget finns." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the files provider for <citerefentry> " +#| "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +#| "citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +#| "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" +"Denna manualsida besriver filleverantören till <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " +"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 +#: sssd-kcm.8.xml:183 msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" +"De allmänna alternativen för tjänsten SSSD såsom <quote>debug_level</quote> " +"eller <quote>fd_limit</quote> accepteras av tjänsten kcm. Se manualsidan " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> för en fullständig lista. Dessutom finns det " +"några KCM-specifika alternativ också." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" +msgstr "socket_path (sträng)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." +msgstr "Uttaget tjänsten KCM kommer lyssna på." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "Standard: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "max_secrets (integer)" +msgid "max_ccaches (integer)" +msgstr "max_secrets (heltal)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "max_uid_secrets (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "max_uid_secrets (heltal)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Standard: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "max_payload_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "max_payload_size (heltal)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Standard: 6" + #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 +#: sssd-kcm.8.xml:247 msgid "" -"Another reason is to provide efficient caching of local users and groups." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "sssd-systemtap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "SSSD systemtap-information" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 +#: sssd-systemtap.5.xml:23 msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" +"Denna manualsidan innehåller information om systemtap-funktionen i " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-systemtap.5.xml:32 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" +"SystemTap-testpunkter har lagts till på diverse platser i SSSD-koden för att " +"hjälpa till i felsökning och analys av prestandarelaterade problem." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "Exempel på SystemTap-skript finns i /usr/share/sssd/systemtap/" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" +"Testpunkter och diverse funktioner definieras i /usr/share/systemtap/tapset/" +"sssd.stp respektive /usr/share/systemtap/tapset/sssd_functions.stp." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "TESTPUNKTER" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" +"Informationen nedan räknar upp testpunkterna och argumenten som är " +"tillgängliga i följande format:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "testpunkt $namn" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "Beskrivning av testpunkten" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" +"variabel1:datatyp\n" +"variabel2:datatyp\n" +"variabel3:datatyp\n" +"…\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "Databastransaktionstestpunkter" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" -"Utöver de alternativ som räknas upp nedan kan generella SSD-domänalternativ " -"sättar där de är tillämpliga. Se <quote>DOMÄNSEKTIONER</quote> i " -"manualsidan <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> för detaljer om konfigurationen av " -"en SSSD-domän. Men syftet med leverantören files är att exponera samma data " -"som UNIX-filerna, bara via gränssnitten för SSSD. Därför stödjs inte alla " -"generella domänalternativ. På samma sätt har några globala alternativ, " -"såsom att åsidosätta skalet i avsnittet <quote>nss</quote> för alla domäner " -"ingen effekt på domänen files om det inte anges uttryckligen per domän. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "testpunkt sssd_transaction_start" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" +"Start av en sysdb-transaktion, känner av funktionen " +"sysdb_transaction_start()." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 #, no-wrap msgid "" -"[domain/files]\n" -"id_provider = files\n" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" +"nesting:heltal\n" +"probestr:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "testpunkt sssd_transaction_cancel" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"passwd: sss files\n" -"group: sss files\n" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" +"Annulering av en sysdb-transaktion, känner av funktionen " +"sysdb_transaction_cancel()." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "testpunkt sssd_transaction_commit_before" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "Känner av funktionen sysdb_transaction_commit_before()." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "testpunkt sssd_transaction_commit_after" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "Känner av funktionen sysdb_transaction_commit_after()." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "LDAP-sökningstestpunkter" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "testpunkt sdap_search_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "Känner av funktionen sdap_get_generic_ext_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, fuzzy, no-wrap +#| msgid "" +#| "base:string\n" +#| "scope:integer\n" +#| "filter:string\n" +#| "probestr:string\n" +#| " " msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" +"base:sträng\n" +"scope:heltal\n" +"filter:sträng\n" +"probestr:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" +msgstr "testpunkt sdap_search_recv" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "Känner av funktionen sdap_get_generic_ext_recv()." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" +"base:sträng\n" +"scope:heltal\n" +"filter:sträng\n" +"probestr:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +#, fuzzy +#| msgid "probe sdap_deref_send" +msgid "probe sdap_parse_entry" +msgstr "testpunkt sdap_deref_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, fuzzy, no-wrap +#| msgid "" +#| "filter:string\n" +#| " " msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +"attr:string\n" +"value:string\n" +" " msgstr "" +"filter:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +#, fuzzy +#| msgid "probe dp_req_done" +msgid "probe sdap_parse_entry_done" +msgstr "testpunkt dp_req_done" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" +msgstr "testpunkt sdap_deref_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." +msgstr "Känner av funktionen sdap_deref_search_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 #, no-wrap msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" +"base_dn:sträng\n" +"deref_attr:sträng\n" +"probestr:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" +msgstr "testpunkt sdap_deref_recv" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "Känner av funktionen sdap_deref_search_recv()." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" +msgstr "Testpunkter av LDAP-kontobegäranden" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" +msgstr "testpunkt sdap_acct_req_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." +msgstr "Känner av funktionen sdap_acct_req_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" +"entry_type:heltal\n" +"filter_type:heltal\n" +"filter_value:sträng\n" +"extra_value:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" +msgstr "testpunkt sdap_acct_req_recv" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "Känner av funktionen sdap_acct_req_recv()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" +msgstr "Testpunkter av LDAP-användarsökningar" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" +msgstr "testpunkt sdap_search_user_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." +msgstr "Känner av funktionen sdap_search_user_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +"filter:string\n" +" " msgstr "" +"filter:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" +msgstr "testpunkt sdap_search_user_recv" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." +msgstr "Känner av funktionen sdap_search_user_recv()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" +msgstr "testpunkt sdap_search_user_save_begin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "Känner av funktionen sdap_search_user_save_begin()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" +msgstr "testpunkt sdap_search_user_save_end" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "Känner av funktionen sdap_search_user_save_end()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" +msgstr "Testpunkter av dataleverantörsbegäranden" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" +msgstr "testpunkt dp_req_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." +msgstr "En dataleverantörsbegäran skickas." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" +"dp_req_domain:sträng\n" +"dp_req_name:sträng\n" +"dp_req_target:heltal\n" +"dp_req_method:heltal\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" +msgstr "testpunkt dp_req_done" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." +msgstr "En dataleverantörsbegäran avslutas." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" +"dp_req_name:sträng\n" +"dp_req_target:heltal\n" +"dp_req_method:heltal\n" +"dp_ret:heltal\n" +"dp_errorstr:sträng\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "DIVERSE FUNKTIONER" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" +msgstr "funktionen acct_req_desc(posttyp)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" +msgstr "Konvertera posttyp till en sträng och returnera strängen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" +"funktionen sssd_acct_req_probestr(fc_namn, posttyp, filtertyp, filtervärde, " +"extravärde)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" +msgstr "Skapa testpunktsträng baserad på filtertyp" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" +msgstr "funktionen dp_target_str(mål)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" +msgstr "Konvertera målet till en sträng och returnera strängen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" +msgstr "funktionen dp_method_str(mål)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" +msgstr "Konvertera metoden till en sträng och returnera strängen" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:412 +msgid "" +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 -msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 -msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (sträng)" + #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 -msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +#, fuzzy +#| msgid "SSSD LDAP provider" +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "SSSD LDAP-leverantör" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" +"Denna manualsida beskriver beskriver konfigurationen av LDAP-domäner för " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Se avsnittet <quote>FILFORMAT</quote> av manualsidan " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> för detaljerad syntaxinformation." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "Objektklassen hos en användarpost i LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Standard: posixAccount" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "LDAP-attributet som motsvarar användarens inloggningsnamn." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Standard: uid (rfc2307, rfc2307bis och IPA), sAMAccountName (AD)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "LDAP-attributet som motsvarar användarens id." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "Standard: uidNumber" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "LDAP-attributet som motsvarar användarens primära grupp-id." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "Standard: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" +msgstr "ldap_user_primary_group (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" +"Active Directorys primära gruppattribut för ID-mappning. Observera att " +"detta attribut skall bara sättas manuellt om du kör <quote>ldap</quote>-" +"leverantören med ID-mappning." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "Standard: ej satt (LDAP), primaryGroupID (AD)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 -msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "LDAP-attributet som motsvarar användarens gecos-fält." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "Standard: gecos" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "LDAP-attributet som innehåller namnet på användarens hemkatalog." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "LDAP-attributet som innehåller sökvägen till användarens standardskal." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Standard: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-användarobjekt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" +"Standard: inte satt i det allmänna fallet, objectGUID för AD och ipaUniqueID " +"för IPA" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"LDAP-attributet som innehåller objectSID för ett LDAP-användarobjekt. Detta " +"är normalt bara nödvändigt för Active Directory-servrar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "Standard: objectSid för Active Directory, inte satt för andra servrar." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" +"LDAP-attributet som innehåller tidsstämpeln för den senaste ändringen av " +"föräldraobjektet." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Standard: modifyTimestamp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" +"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " +"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (tidpunkt för senaste lösenordsändring)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Standard: shadowLastChange" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 -msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" +"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " +"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (minsta lösenordsålder)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Standard: shadowMin" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" +"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " +"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (största lösenordsålder)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Standard: shadowMax" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" +"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " +"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (varningsperiod för lösenord)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Standard: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" +"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " +"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (inaktivitetsperiod för lösenord)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Standard: shadowInactive" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" +"När ldap_pwd_policy=shadow används innehåller denna parameter namnet på ett " +"LDAP-attribut som utgör dess motsvarighet i <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (tid då kontot går ut)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Standard: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" +"När ldap_pwd_policy=mit_kerberos används innehåller denna parameter namnet " +"på ett LDAP-attribut som lagrar dag och tid för senaste lösenordsändring i " +"kerberos." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Standard: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" +"När ldap_pwd_policy=mit_kerberos används innehåller denna parameter namnet " +"på ett LDAP-attribut som lagrar dag och tid när det nuvarande låsenordet går " +"ut." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Standard: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" +"När ldap_account_expire_policy=ad används innehåller denna parameter namnet " +"på ett LDAP-attribut som lagrar tidpunkten när kontot går ut." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "Standard: accountExpires" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" +"När ldap_account_expire_policy=ad används innehåller denna parameter namnet " +"på ett LDAP-attribut som lagrar användarkontots styrbitfält." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "Standard: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" +"När ldap_account_expire_policy=rhds eller likvärdigt används avgör denna " +"parameter om åtkomst skall tillåtas eller inte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" +msgstr "Standard: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" +"När ldap_account_expire_policy=nds används avgör detta attribut om åtkomst " +"skall tillåtas eller inte." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "Standard: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" +"När ldap_account_expire_policy=nds används avgör detta attribut till vilket " +"datum åtkomst tillåts." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" +"När ldap_account_expire_policy=nds används avgör detta attribut vilka timmar " +"på dagen i en vecka åtkomst tillåts." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "Standard: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" +"LDAP-attributet som innehåller användarens användarhuvudmansnamn i Kerberos " +"(UPN)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Standard: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" +"Kommaseparerad lista av LDAP-attribut som SSSD skall hämta tillsammans med " +"den vanliga uppsättningen av användarattribut." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" +"Listan kan antingen innehålla endast LDAP-attributnamn, eller " +"kolonseparerade tupler av SSSD-cacheattribut och LDAP-attributnamn. Ifall " +"endast LDAP-attributnamn anges sparas attributet i cachen ordagrant. Att " +"använda ett anpassat SSSD-attributnamn kan vara nödvändigt i miljöer som " +"konfigurerar flera SSSD-domäner med olika LDAP-scheman." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" +"Observera att flera attributnamn är reserverade av SSSD, speciellt " +"attributet <quote>name</quote>. SSSD rapporterar ett fel om något av de " +"reserverade attributnamnen används som ett extra attributnamn." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" +"Spara attributet <quote>telephoneNumber</quote> från LDAP som " +"<quote>telephoneNumber</quote> i cachen." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" +"Spara attributet <quote>telephoneNumber</quote> från LDAP som <quote>phone</" +"quote> i cachen." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "LDAP-attributet som innehåller användarens publika SSH-nycklar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" +msgstr "Standard: sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "LDAP-attributet som motsvarar användarens fullständiga namn." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "LDAP-attributet som räknar upp användarens gruppmedlemskap." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "Standard: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" +"Om access_provider=ldap och ldap_access_order=authorized_service kommer SSSD " +"använda förekomsten av attributet authorizedService i användarens LDAP-post " +"för att avgöra åtkomstpriviligier." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" +"Ett explicit nekande (!svc) avgörs först. Därefter söker SSSD efter " +"explicit tillåtelse (svc) och slutligen efter allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" +"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" +"emphasis> innehållla <quote>authorized_service</quote> för att alternativet " +"ldap_user_authorized_service skall fungera." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "Standard: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" +"Om access_provider=ldap och ldap_access_order=host kommer SSSD använda " +"förekomsten av attributet host i användarens LDAP-post för att avgöra " +"åtkomstpriviligier." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" +"Ett explicit nekande (!host) avgörs först. Därefter söker SSSD efter " +"explicit tillåtelse (host) och slutligen efter allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" +"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" +"emphasis> innehållla <quote>host</quote> för att alternativet " +"ldap_user_authorized_host skall fungera." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "Standard: host" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" +msgstr "ldap_user_authorized_rhost (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" +"Om access_provider=ldap och ldap_access_order=rhost kommer SSSD använda " +"förekomsten av attributet rhost i användarens LDAP-post för att avgöra " +"åtkomstpriviligier." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" +"Ett explicit nekande (!rhost) avgörs först. Därefter söker SSSD efter " +"explicit tillåtelse (rhost) och slutligen efter allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" +"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</" +"emphasis> innehållla <quote>rhost</quote> för att alternativet " +"ldap_user_authorized_rhost skall fungera." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" +msgstr "Standard: rhost" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "Namnet på LDAP-attributet som innehåller användarens X509-certifikat." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "Standard: userCertificate;binary" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" +msgstr "ldap_user_email (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "Namnet på LDAP-attributet som innehåller användarens e-postadress." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" +"Observera: om en e-postadress för användaren står i konflikt med en e-" +"postadress eller fullt kvalificerat namn för en annan användare, då kommer " +"SSSD inte kunna serva dessa användare ordentligt. Om flera användare av " +"något skäl behöver dela samma e-postadress, sätt då detta attributnamn till " +"ett som inte finns för att avaktivera uppslagning/inloggning av användare " +"via e-post." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" +msgstr "Standard: mail" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "Objektklassen hos en gruppost i LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Standard: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "LDAP-attributet som motsvarar gruppnamnet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Standard: cn (rfc2307, rfc2307bis och IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "LDAP-attributet som motsvarar gruppens id." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "LDAP-attributet som innehåller namnen på gruppens medlemmar." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Standard: memberuid (rfc2307) / member (rfc2307bis)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-gruppobjekt." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 -msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"LDAP-attributet som innehåller objectSID för ett LDAP-gruppobjekt. Detta är " +"normalt bara nödvändigt för Active Directory-servrar." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 -msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (sträng)" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +#, fuzzy +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" +"LDAP-attributet som innehåller ett heltalsvärde som indikerar grupptypen och " +"kanske ondra flaggor." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" +"Detta attribut används för närvarande bara av AD-leverantören för att avgöra " +"om en domänlokal grupp och behöver filtreras bort för betrodda domäner." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "Standard: groupType i AD-leverantören, inte satt annars" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" +msgstr "ldap_group_external_member (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" +"LDAP-attributet som refererar gruppmedlemmar som är definierade i en extern " +"domän. För närvarande stödjs endast IPA:s externa medlemmar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "Standard: ipaExternalMember i IPA-leverantören, inte satt annars" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "Objektklassen hos en nätgruppspost i LDAP." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "I IPA-leverantören skall ipa_netgroup_object_class användas istället." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "Standard: nisNetgroup" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "LDAP-attributet som motsvarar nätgruppnamnet." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "I IPA-leverantören skall ipa_netgroup_name användas istället." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "LDAP-attributet som innehåller namnen på nätgruppens medlemmar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "I IPA-leverantören skall ipa_netgroup_member användas istället." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "Standard: memberNisNetgroup" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -#, fuzzy -#| msgid "" -#| "This manual page describes the configuration of the AD provider for " -#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -#| "manvolnum> </citerefentry>. For a detailed syntax reference, refer to " -#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> " -#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -#| "citerefentry> manual page." -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." -msgstr "" -"Denna manualsida besriver konfigurationen av leverantören AD till " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. För en detaljerad referens om syntaxen, se avsnittet " -"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" +"LDAP-attributet som innehåller nätgrupptrippeln (värd, användare, domän)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "Detta alternativ är inte tillgängligt i IPA-leverantören." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Standard: nisNetgroupTriple" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "enum_cache_timeout (integer)" -msgid "max_ccaches (integer)" -msgstr "enum_cache_timeout (heltal)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" +msgstr "ldap_host_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "min_id,max_id (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "min_id,max_id (heltal)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." +msgstr "Objektklassen hos en värdpost i LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "Standard: ipService" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Standard: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" +msgstr "ldap_host_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "ldap_page_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "ldap_page_size (heltal)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "LDAP-attributet som motsvarar värdens namn." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "ldap_host_fqdn (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" +"LDAP-attributet som motsvarar värdens fullständigt kvalificerade domännamn." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Standard: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "Standard: fqdn" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" +msgstr "ldap_host_serverhostname (sträng)" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" +msgstr "Standard: serverHostname" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" +msgstr "ldap_host_member_of (sträng)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "LDAP-attributet som räknar upp värdens gruppmedlemskap." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" +msgstr "ldap_host_ssh_public_key (sträng)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "LDAP-attributet som innehåller värdens publika SSH-nycklar." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "ldap_host_uuid (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-värdobjekt." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" -msgstr "" +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "TJÄNSTESEKTIONER" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." +msgstr "Objektklassen hos en servicepost i LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" +"LDAP-attributet som innehåller namnet på tjänsteattribut och deras alias." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "LDAP-attributet som innehåller porten som hanteras av denna tjänst." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap -msgid "" -"nesting:integer\n" -"probestr:string\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "Standard: ipServicePort" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." -msgstr "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "LDAP-attributet som innehåller protokollen som denna tjänst förstår." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "Standard: ipServiceProtocol" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "Objektklassen hos en sudo-regelpost i LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "Standard: sudoRole" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "LDAP-attributet som motsvarar sudo-regelnamnet." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "LDAP-attributet som motsvarar kommandonamnet." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "Standard: sudoCommand" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" +"LDAP-attributet som motsvarar värdnamnet (eller värdens IP-adress, värdens " +"IP-nätverk eller värdens nätgrupp)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "Standard: sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (sträng)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" +"LDAP-attributet som motsvarar användarnamnet (eller UID, gruppnamnet eller " +"användarens nätgrupp)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "Standard: sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "LDAP-attributet som motsvarar sudo-alternativen.." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "Standard: sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" +"LDAP-attributet som motsvarar användarnamnet som kommandon får köras som." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "Standard: sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" +"LDAP-attributet som motsvarar gruppnamnet eller grupp-GID:t som kommandon " +"får köras som." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "Standard: sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" +"LDAP-attributet som motsvarar startdagen/-tiden då sudo-regeln är giltig." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "Standard: sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" +"LDAP-attributet som motsvarar utgångsdagen/-tiden då sudo-regeln inte " +"längre är giltig." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "Standard: sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "LDAP-attributet som motsvarar ordningsindexet för regeln." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "Standard: sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "AUTOFSALTERNATIV" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." +msgstr "Objektklassen hos en automatmonteringskartepost i LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "Standard: nisMap (rfc2307, autofs_provider=ad), annars automountMap" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." +msgstr "Namnet på en automatmonteringskartepost i LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" +"Standard: nisMapName (rfc2307, autofs_provider=ad), annars automountMapName" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" +"Objektklassen hos en automatmonteringspost i LDAP. Posten motsvarar " +"vanligen en monteringspunkt." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "Standard: nisObject (rfc2307, autofs_provider=ad), annars automount" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (sträng)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" +"Nyckeln till en automatmonteringspost i LDAP. Posten motsvarar vanligen en " +"monteringspunkt." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" -msgstr "" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "Standard: cn (rfc2307, autofs_provider=ad), annars automountKey" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (sträng)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" +"Standard: nisMapEntry (rfc2307, autofs_provider=ad), annars " +"automountInformation" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 @@ -18363,7 +19488,7 @@ msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 msgid "Configuration" -msgstr "" +msgstr "Konfiguration" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:11 @@ -18387,7 +19512,7 @@ msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:23 msgid "The domain name" -msgstr "" +msgstr "Domännamnet" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:25 @@ -18396,11 +19521,14 @@ msgid "" "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for more details." msgstr "" +"Se parametern <quote>dns_discovery_domain</quote> i manualsidan " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> för fler detaljer." #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:35 msgid "The protocol" -msgstr "" +msgstr "Protokollet" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:37 @@ -18408,6 +19536,8 @@ msgid "" "The queries usually specify _tcp as the protocol. Exceptions are documented " "in respective option description." msgstr "" +"Frågorna anger vanligen _tcp som protokoll. Undantag är dokumenterade i " +"respektive alternativs beskrivning." #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:42 @@ -18695,22 +19825,22 @@ msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:33 msgid "Making sure the remote servers are reachable" -msgstr "" +msgstr "Se till att fjärservrarna är nåbara" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:38 msgid "Stopping the SSSD service" -msgstr "" +msgstr "Stoppar tjänsten SSSD" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:43 msgid "Removing the database" -msgstr "" +msgstr "Tar bort databasen" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:48 msgid "Starting the SSSD service" -msgstr "" +msgstr "Startar tjänsten SSSD" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:52 @@ -18719,11 +19849,14 @@ msgid "" "system properties such as file and directory ownership, it's advisable to " "plan ahead and test the ID mapping configuration thoroughly." msgstr "" +"Dessutom, eftersom ändringen av ID:n kan göra det nödvändigt att justera " +"andra systemegenskaper såsom ägare av filer och kataloger, är det lämpligt " +"att planera i förväg och testa konfigurationen av ID-översättningar noggrant." #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:59 msgid "Mapping Algorithm" -msgstr "" +msgstr "Översättningsalgoritm" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:61 @@ -18733,6 +19866,10 @@ msgid "" "represent the Active Directory domain identity and the relative identifier " "(RID) of the user or group object." msgstr "" +"Aktive Directory tillandahåller ett objectSID för varje användar- och " +"gruppobjekt i katalogen. Detta objectSID kan delas upp i komponenter som " +"representerar Active Directorys domänidentitet och den relativa " +"identifieraren (RID) till användar- eller gruppobjektet." #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:67 @@ -18741,6 +19878,10 @@ msgid "" "into equally-sized component sections - called \"slices\"-. Each slice " "represents the space available to an Active Directory domain." msgstr "" +"SSSD ID-översättningsalgoritmen tar ett intervall av tillgängliga AID:er och " +"delar upp det i lika stora komponentavsnitt – kallade “skivor” (”slices”) " +"–. Varje skiva representerar utrymmet som är tillgängligt för en Active " +"Directory-domän." #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:73 @@ -18750,6 +19891,10 @@ msgid "" "In order to make this slice-assignment repeatable on different client " "machines, we select the slice based on the following algorithm:" msgstr "" +"När en användar- eller gruppost för en viss domän påträffas för första " +"gången allokerar SSSD en av tillgängliga skivorna för den domänen. För att " +"göra denna skivtilldelning upprepbar på olika klientmaskiner väljer vi " +"skivan baserat på följande algoritm:" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:80 @@ -18758,6 +19903,9 @@ msgid "" "a 32-bit hashed value. We then take the modulus of this value with the total " "number of available slices to pick the slice." msgstr "" +"SID-strängen skickas genom algoritmen murmurhash3 för att konvertera den " +"till ett 32-bitars hash-värde. Vi tar sedan modulo på detta värde med det " +"totala antalet tillgängliga skivor och väljer den skivan." #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:86 @@ -18771,12 +19919,21 @@ msgid "" "configure a default domain to guarantee that at least one is always " "consistent. See <quote>Configuration</quote> for details." msgstr "" +"OBSERVERA: Det är möjligt att träffa på kollisioner i hash:en och den " +"påföljande moduloberäkningen. I dessa situationer kommer vi välja nästa " +"tillgängliga skiva, men det är kanske inte möjligt att reproducera exakt " +"samma uppsättning av skivor på andra maskiner (eftersom ordningen som de " +"påträffas kommer avgöra deras skiva). I den här situationen rekommenderas " +"det att antingen byta till att använda explicita POSIX-attribut i Active " +"Directory (avaktivera ID-mappningen) eller konfigurera en standarddomän för " +"att garantera att åtminstone en alltid är konsistent. Se " +"<quote>Konfiguration</quote> för detaljer." #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:101 msgid "" "Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" -msgstr "" +msgstr "Minimikonfiguration (i avsnittet <quote>[domain/DOMÄNNAMN]</quote>):" #. type: Content of: <refsect1><refsect2><para><programlisting> #: include/ldap_id_mapping.xml:106 @@ -18785,6 +19942,8 @@ msgid "" "ldap_id_mapping = True\n" "ldap_schema = ad\n" msgstr "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:111 @@ -18793,16 +19952,20 @@ msgid "" "of holding up to 200,000 IDs, starting from 200,000 and going up to " "2,000,200,000. This should be sufficient for most deployments." msgstr "" +"Standardkonfigurationen resulterar i konfiguration av 10 000 skivor, som var " +"och en kan innehålla upp till 200 000 ID:n, med början på 200 000 och upp " +"till 2 000 200 000. Detta bör vara tillräckligt för de flesta " +"installationer." #. type: Content of: <refsect1><refsect2><refsect3><title> #: include/ldap_id_mapping.xml:117 msgid "Advanced Configuration" -msgstr "" +msgstr "Avancerad konfiguration" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:120 msgid "ldap_idmap_range_min (integer)" -msgstr "" +msgstr "ldap_idmap_range_min (heltal)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:123 @@ -18810,6 +19973,8 @@ msgid "" "Specifies the lower bound of the range of POSIX IDs to use for mapping " "Active Directory user and group SIDs." msgstr "" +"Anger den lägre gränsen för intervallet av POSIX ID:n att använda för " +"översättning av användar- och grupp-SID:n från Active Directory." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:127 @@ -18820,16 +19985,22 @@ msgid "" "distinction, but the good general advice would be to have <quote>min_id</" "quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" msgstr "" +"OBSERVERA: Detta alternativ är inte detsamma som <quote>min_id</quote> " +"eftersom <quote>min_id</quote> fungerar som ett filter av utmatade " +"begäranden till denna domän, medan detta alternativ styr intervallet av ID-" +"tilldelningen. Detta är en subtil distinktion, men det allmänna goda rådet " +"skulle vara att ha <quote>min_id</quote> mindre än eller lika med " +"<quote>ldap_idmap_range_min</quote>" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 msgid "Default: 200000" -msgstr "" +msgstr "Standard: 200000" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:142 msgid "ldap_idmap_range_max (integer)" -msgstr "" +msgstr "ldap_idmap_range_max (heltal)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:145 @@ -18837,6 +20008,8 @@ msgid "" "Specifies the upper bound of the range of POSIX IDs to use for mapping " "Active Directory user and group SIDs." msgstr "" +"Anger den övre gränsen för intervallet av POSIX ID:n att använda för " +"översättning av användar- och grupp-SID:n från Active Directory." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:149 @@ -18847,16 +20020,22 @@ msgid "" "distinction, but the good general advice would be to have <quote>max_id</" "quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" msgstr "" +"OBSERVERA: Detta alternativ är inte detsamma som <quote>max_id</quote> " +"eftersom <quote>max_id</quote> fungerar som ett filter av utmatade " +"begäranden till denna domän, medan detta alternativ styr intervallet av ID-" +"tilldelningen. Detta är en subtil distinktion, men det allmänna goda rådet " +"skulle vara att ha <quote>max_id</quote> större än eller lika med " +"<quote>ldap_idmap_range_max</quote>" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:159 msgid "Default: 2000200000" -msgstr "" +msgstr "Standard: 2000200000" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:164 msgid "ldap_idmap_range_size (integer)" -msgstr "" +msgstr "ldap_idmap_range_size (heltal)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:167 @@ -18865,6 +20044,9 @@ msgid "" "does not divide evenly into the min and max values, it will create as many " "complete slices as it can." msgstr "" +"Anger antalet ID:n som är tillgängliga för varje skiva. Om storleken på " +"intervallet inte delas jämnt mellan min- och maxvärdena kommer den skapa så " +"många fullständiga skivor den kan." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:173 @@ -18873,6 +20055,10 @@ msgid "" "RID planned for use on the Active Directory server. User lookups and login " "will fail for any user whose RID is greater than this value." msgstr "" +"OBSERVERA: Värdet på detta alternativ måste vara åtminstone så stort som den " +"högsta RID som planeras användas i Active Directory-servern. " +"Användaruppslagningar och inloggningar kommer misslyckas för eventuella " +"användare vars RID är större än detta värde." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:179 @@ -18882,6 +20068,11 @@ msgid "" "<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " "equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." msgstr "" +"Till exempel, om den senaste tillagda Active Directory-användaren har " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> måste vara åtminstone 1108 eftersom " +"intervallstorleken är lika med maximal SID minus minimal SID plus ett (t.ex. " +"1108 = 1107 - 0 + 1)." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:186 @@ -18890,11 +20081,15 @@ msgid "" "will result in changing all of the ID mappings on the system, leading to " "users with different local IDs than they previously had." msgstr "" +"Det är viktigt att planera i förväg för framtida expansioner, eftersom " +"ändring av detta värde skulle resultera i att ändra alla ID-översättningar " +"på systemet, vilket skulle leda till användare med andra lokala ID:n än de " +"tidigare hade." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:196 msgid "ldap_idmap_default_domain_sid (string)" -msgstr "" +msgstr "ldap_idmap_default_domain_sid (sträng)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:199 @@ -18903,21 +20098,24 @@ msgid "" "domain will always be assigned to slice zero in the ID map, bypassing the " "murmurhash algorithm described above." msgstr "" +"Ange domän-SID:n för standarddomänen. Detta kommer garantera att denna " +"domän alltid kommer tilldelas till skiva noll i ID-översättningen, och " +"undviker murmurhash-algoritmen som beskrivs ovan." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:210 msgid "ldap_idmap_default_domain (string)" -msgstr "" +msgstr "ldap_idmap_default_domain (sträng)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:213 msgid "Specify the name of the default domain." -msgstr "" +msgstr "Ange namnet på standarddomänen." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:221 msgid "ldap_idmap_autorid_compat (boolean)" -msgstr "" +msgstr "ldap_idmap_autorid_compat (boolean)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:224 @@ -18925,6 +20123,8 @@ msgid "" "Changes the behavior of the ID-mapping algorithm to behave more similarly to " "winbind's <quote>idmap_autorid</quote> algorithm." msgstr "" +"Ändrar beteendet på ID-översättningsalgoritmen till att bete sig mer likt " +"winbind:s <quote>idmap_autorid</quote>-algoritm." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:229 @@ -18932,6 +20132,8 @@ msgid "" "When this option is configured, domains will be allocated starting with " "slice zero and increasing monatomically with each additional domain." msgstr "" +"När detta alternativ konfigureras kommer domäner allokeras med början med " +"skiva noll och ökar monotont med varje ytterligare domän." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:234 @@ -18942,11 +20144,16 @@ msgid "" "<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " "least one domain is consistently allocated to slice zero." msgstr "" +"OBSERVERA: Denna algoritm är inte deterministisk (den beror på ordningen som " +"användare och grupper efterfrågas). Om detta läge krävs för kompatibilitet " +"med maskiner som kör winbind rekommenderas det att även använda alternativet " +"<quote>ldap_idmap_default_domain_sid</quote> för att garantera att " +"åtminstone en domän är konsekvent allokerat till skiva noll." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:249 msgid "ldap_idmap_helper_table_size (integer)" -msgstr "" +msgstr "ldap_idmap_helper_table_size (heltal)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:252 @@ -18954,6 +20161,8 @@ msgid "" "Maximal number of secondary slices that is tried when performing mapping " "from UNIX id to SID." msgstr "" +"Maximalt antal sekundära skivor som provas när mappningen från UNIX id till " +"SID utförs." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:256 @@ -18963,11 +20172,15 @@ msgid "" "generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " "then no additional secondary slices are generated." msgstr "" +"Observera: ytterliga sekundära skivor kan genereras när en SID översätts " +"till UNIX-id och RID-delen av SID:n är utanför intervallet för sekundära " +"skivor som genererats hittills. OM värdet på ldap_idmap_helper_table_size " +"är lika med 0 genereras inga ytterligare sekundära skivor." #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:273 msgid "Well-Known SIDs" -msgstr "" +msgstr "Välkända SID:er" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:275 @@ -18977,6 +20190,10 @@ msgid "" "those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " "POSIX IDs are available for those objects." msgstr "" +"SSSD stödjer upplsagning av namnen på välkända SID:er, d.v.s. SID:er med en " +"speciell hårdkodad betydelse. Eftersom de allmänna användarna och grupperna " +"relaterade till dessa välkända SID:er inte har någon motsvarighet i en " +"Linux-/UNIX-miljö är inga POSIX-ID:n tillgängliga för dessa objekt." #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:281 @@ -18984,36 +20201,38 @@ msgid "" "The SID name space is organized in authorities which can be seen as " "different domains. The authorities for the Well-Known SIDs are" msgstr "" +"SID-namnrymden är organiserad i auktoriteter som kan ses som olika domäner. " +"Auktoriteterna för välkända SID:er är" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:284 msgid "Null Authority" -msgstr "" +msgstr "Null-auktoritet" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:285 msgid "World Authority" -msgstr "" +msgstr "Världsauktoritet" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:286 msgid "Local Authority" -msgstr "" +msgstr "Lokala auktoritet" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:287 msgid "Creator Authority" -msgstr "" +msgstr "Skaparauktoritet" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:288 msgid "NT Authority" -msgstr "" +msgstr "NT-auktoritetet" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:289 msgid "Built-in" -msgstr "" +msgstr "Inbyggd" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:291 @@ -19021,6 +20240,8 @@ msgid "" "The capitalized version of these names are used as domain names when " "returning the fully qualified name of a Well-Known SID." msgstr "" +"Den versala versionen av dessa namn används som domännamn när det " +"fullständigt kvalificerade namnet på en välkänd SID returneras." #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:295 @@ -19034,21 +20255,30 @@ msgid "" "AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " "names in <filename>sssd.conf</filename>." msgstr "" +"Eftersom några verktyg tillåter att man ändrar SID-baserad " +"åtkomststyrningsinformation med hjälp av ett namn istället för att använda " +"SID:en direkt stödjer SSSD uppslagning av SID:en med detta namn också. För " +"att undvika kollisioner kan bara de fullständigt kvalificerade namnen " +"användas för att slå upp välkända SID:er. Som ett resultat skall " +"domännamnen <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> och <quote>BUILTIN</quote> inte användas som domännamn i " +"<filename>sssd.conf</filename>." #. type: Content of: <varlistentry><term> #: include/param_help.xml:3 msgid "<option>-?</option>,<option>--help</option>" -msgstr "" +msgstr "<option>-?</option>,<option>--help</option>" #. type: Content of: <varlistentry><listitem><para> #: include/param_help.xml:7 include/param_help_py.xml:7 msgid "Display help message and exit." -msgstr "" +msgstr "Visa ett hjälpmeddelande och avsluta." #. type: Content of: <varlistentry><term> #: include/param_help_py.xml:3 msgid "<option>-h</option>,<option>--help</option>" -msgstr "" +msgstr "<option>-h</option>,<option>--help</option>" #. type: Content of: <listitem><para> #: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 @@ -19059,6 +20289,12 @@ msgid "" "is to specify a hexadecimal bitmask to enable or disable specific levels " "(such as if you wish to suppress a level)." msgstr "" +"SSSD stödjer två representationer för att ange felsökningsnivå. Det " +"enklaste är att ange ett decimalt värde från 0-9 som representerar " +"aktivering av den nivån och alla lägre nivåer av felsökningsmeddelanden. " +"Det mer fullständiga alternativet är att ange en hexadecimal bitmask för att " +"aktivera eller avaktivera specifika nivåer (såsom om du önskar undertrycka " +"en nivå)." #. type: Content of: <listitem><para> #: include/debug_levels.xml:10 @@ -19069,6 +20305,12 @@ msgid "" "responder or provider processes. The <quote>debug_level</quote> parameter " "should be added to all sections that you wish to produce debug logs from." msgstr "" +"Observera att varje SSSD-tjänst loggar till sin egen loggfil. Observera " +"också att aktivering av <quote>debug_level</quote> i avsnittet " +"<quote>[sssd]</quote> bara aktiverar felsökning just för själva sssd-" +"processen, inte för respondent- eller leverantörsprocesser. Parametern " +"<quote>debug_level</quote> skall läggas till i alla sektioner som man vill " +"producera felsökningsloggar ifrån." #. type: Content of: <listitem><para> #: include/debug_levels.xml:18 @@ -19079,11 +20321,16 @@ msgid "" "<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry> tool." msgstr "" +"Utöver att ändra loggninvån i konfigurationsfilen med parametern " +"<quote>debug_level</quote>, som är bestående, men kräver omstart av SSSD, är " +"det även möjligt att ändra felsökningsnivån i farten med verktyget " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>." #. type: Content of: <listitem><para> #: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 msgid "Currently supported debug levels:" -msgstr "" +msgstr "Felsökningsnivåer som för närvarande stödjs:" #. type: Content of: <listitem><para> #: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 @@ -19092,6 +20339,8 @@ msgid "" "Anything that would prevent SSSD from starting up or causes it to cease " "running." msgstr "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Ödesdigra fel. Allt " +"som skulle hindra SSSD från att starta upp eller får den att sluta köra." #. type: Content of: <listitem><para> #: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 @@ -19100,6 +20349,9 @@ msgid "" "error that doesn't kill SSSD, but one that indicates that at least one major " "feature is not going to work properly." msgstr "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Kritiska fel. Ett fel " +"som inte dödar SSSD, men ett som indikerar att åtminstone en viktig funktion " +"inte kommer fungera korrekt." #. type: Content of: <listitem><para> #: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 @@ -19107,6 +20359,8 @@ msgid "" "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " "error announcing that a particular request or operation has failed." msgstr "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Allvarliga fel. Ett " +"fel som rapporterar att en viss begäran eller operation har misslyckats." #. type: Content of: <listitem><para> #: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 @@ -19114,17 +20368,21 @@ msgid "" "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " "are the errors that would percolate down to cause the operation failure of 2." msgstr "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Smärre fel. Detta är " +"fel som skulle kunna bubbla ner till att orsaka funktionsfelet 2." #. type: Content of: <listitem><para> #: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 msgid "" "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." msgstr "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: " +"Konfigurationsinställningar." #. type: Content of: <listitem><para> #: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." -msgstr "" +msgstr "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Funktionsdata." #. type: Content of: <listitem><para> #: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 @@ -19132,6 +20390,8 @@ msgid "" "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " "operation functions." msgstr "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Spårmeddelanden för " +"åtgärdsfunktioner." #. type: Content of: <listitem><para> #: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 @@ -19139,6 +20399,8 @@ msgid "" "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " "internal control functions." msgstr "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Spårmeddelanden för " +"interna styrfunktioner." #. type: Content of: <listitem><para> #: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 @@ -19146,6 +20408,8 @@ msgid "" "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" "internal variables that may be interesting." msgstr "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Innehållet i interna " +"variabler som kan vara intressant." #. type: Content of: <listitem><para> #: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 @@ -19153,6 +20417,8 @@ msgid "" "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " "tracing information." msgstr "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Spårningsinformation på " +"extremt låg nivå." #. type: Content of: <listitem><para> #: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 @@ -19160,6 +20426,8 @@ msgid "" "To log required bitmask debug levels, simply add their numbers together as " "shown in following examples:" msgstr "" +"För att logga begärda bitmaskfelsökningsnivåer, lägg helt enkelt ihop deras " +"tal som visas i följande exempel:" #. type: Content of: <listitem><para> #: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 @@ -19167,6 +20435,8 @@ msgid "" "<emphasis>Example</emphasis>: To log fatal failures, critical failures, " "serious failures and function data use 0x0270." msgstr "" +"<emphasis>Exempel</emphasis>: För att logga ödesdrigra fel, kritiska fel, " +"allvarliga fel och funktionsdata, använd 0x0270." #. type: Content of: <listitem><para> #: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 @@ -19174,6 +20444,9 @@ msgid "" "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " "function data, trace messages for internal control functions use 0x1310." msgstr "" +"<emphasis>Exempel</emphasis>: För att logga ödesdigra fel, " +"konfigurationsinställningar, funktionsdata och spårmeddelanden för interna " +"styrfunktioner, använd 0x1310." #. type: Content of: <listitem><para> #: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 @@ -19181,11 +20454,13 @@ msgid "" "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " "in 1.7.0." msgstr "" +"<emphasis>Observera</emphasis>: bitmaskformatet för felsökningsnivåer " +"introducerades i 1.7.0." #. type: Content of: <listitem><para> #: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 msgid "<emphasis>Default</emphasis>: 0" -msgstr "" +msgstr "<emphasis>Standard</emphasis>: 0" #. type: Content of: outside any tag (error?) #: include/experimental.xml:1 @@ -19193,11 +20468,13 @@ msgid "" "<emphasis> This is an experimental feature, please use https://pagure.io/" "SSSD/sssd/ to report any issues. </emphasis>" msgstr "" +"<emphasis> Detta är en experimentell funktion, använd https://pagure.io/SSSD/" +"sssd/ för att rapportera eventuella problem. </emphasis>" #. type: Content of: <refsect1><title> #: include/local.xml:2 msgid "THE LOCAL DOMAIN" -msgstr "" +msgstr "DEN LOKALA DOMÄNEN" #. type: Content of: <refsect1><para> #: include/local.xml:4 @@ -19205,6 +20482,8 @@ msgid "" "In order to function correctly, a domain with <quote>id_provider=local</" "quote> must be created and the SSSD must be running." msgstr "" +"För att fungera korrekt måste en domän med <quote>id_provider=local</quote> " +"skapas och SSSD måste köra." #. type: Content of: <refsect1><para> #: include/local.xml:9 @@ -19217,6 +20496,14 @@ msgid "" "<command>sss_user*</command> and <command>sss_group*</command> tools use a " "local LDB storage to store users and groups." msgstr "" +"Administratören kan vilja använda SSSD:s lokala användare istället för " +"traditionella UNIX-användare i fall när nästning av grupper (se " +"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>) behövs. De lokala användarna är också " +"användbara för att testa och utveckla SSSD utan att behöva installera en " +"fullständig fjärrserver. Verktygen <command>sss_user*</command> och " +"<command>sss_group*</command> använder en lokal LDB-lagring för att lagra " +"användare och grupper." #. type: Content of: <refsect1><para> #: include/seealso.xml:4 @@ -19269,6 +20556,53 @@ msgid "" "<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> </phrase>" msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-files</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition=" +"\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition=" +"\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> " +"<refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_cache</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <phrase condition=\"enable_local_provider\"> <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:3 @@ -19276,17 +20610,19 @@ msgid "" "An optional base DN, search scope and LDAP filter to restrict LDAP searches " "for this attribute type." msgstr "" +"En valfri bas-DN, sökräckvidd och LDAP-filter för att begränsa LDAP-" +"sökningar för denna attributtyp." #. type: Content of: <listitem><para><programlisting> #: include/ldap_search_bases.xml:9 #, no-wrap msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" -msgstr "" +msgstr "search_base[?räckvidd?[filter][?search_base?räckvidd?[filter]]*]\n" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:7 msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" +msgstr "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:13 @@ -19295,6 +20631,9 @@ msgid "" "functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" "rfc4511" msgstr "" +"Räckvidden kan vara en av ”base”, ”onelevel” eller ”subtree”. " +"Räckviddsfunktionerna beskrivs i avsnitt 4.5.1.2 av http://tools.ietf.org/" +"html/rfc4511" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:23 @@ -19302,6 +20641,8 @@ msgid "" "For examples of this syntax, please refer to the <quote>ldap_search_base</" "quote> examples section." msgstr "" +"För exempel på denna syntax, se exempelsektionen av <quote>ldap_search_base</" +"quote>." #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:31 @@ -19310,6 +20651,9 @@ msgid "" "against an Active Directory Server that might yield a large number of " "results and trigger the Range Retrieval extension in the response." msgstr "" +"Observera att angivelse av räckvidd eller filter inte stödjs för sökningar i " +"en Active Directory-server som kan return resultera i ett stort antal " +"resultat och trigga utökningen Range Retrieval i svaret." #. type: Content of: <para> #: include/autofs_restart.xml:2 @@ -19318,66 +20662,71 @@ msgid "" "any autofs-related changes are made to the sssd.conf, you typically also " "need to restart the automounter daemon after restarting the SSSD." msgstr "" +"Observera att automounter:n bara läser master-kartan vid uppstart, så om " +"några autofs-relaterade ändringar görs av sssd.conf behöver du normalt även " +"starta om automounter-demonen efter att ha startat om SSSD." #. type: Content of: <varlistentry><term> #: include/override_homedir.xml:2 msgid "override_homedir (string)" -msgstr "" +msgstr "override_homedir (sträng)" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:16 msgid "UID number" -msgstr "" +msgstr "UID-nummer" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:20 msgid "domain name" -msgstr "" +msgstr "domännamn" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:23 msgid "%f" -msgstr "" +msgstr "%f" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:24 msgid "fully qualified user name (user@domain)" -msgstr "" +msgstr "fullständigt kvalificerat användarnamn (användare@domän)" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:27 msgid "%l" -msgstr "" +msgstr "%l" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:28 msgid "The first letter of the login name." -msgstr "" +msgstr "Första bokstaven i inloggningsnamnet." #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:32 msgid "UPN - User Principal Name (name@REALM)" -msgstr "" +msgstr "UPN – Användarens Huvudnamn (namn@RIKE)" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:35 msgid "%o" -msgstr "" +msgstr "%o" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:37 msgid "The original home directory retrieved from the identity provider." msgstr "" +"Den ursprungliga hemkatalogen som hämtades från identitetsleverantören." #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:42 msgid "%H" -msgstr "" +msgstr "%H" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:44 msgid "The value of configure option <emphasis>homedir_substring</emphasis>." msgstr "" +"Värdet på konfigurationsalternativet <emphasis>homedir_substring</emphasis>." #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:5 @@ -19386,6 +20735,9 @@ msgid "" "or a template. In the template, the following sequences are substituted: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" +"Åsidosätt användarens hemkatalog. Du kan antingen ge ett absolut värde " +"eller en mall. I mallen ersätts följande sekvenser: <placeholder type=" +"\"variablelist\" id=\"0\"/>" #. type: Content of: <varlistentry><listitem><para><programlisting> #: include/override_homedir.xml:61 @@ -19394,16 +20746,18 @@ msgid "" "override_homedir = /home/%u\n" " " msgstr "" +"override_homedir = /home/%u\n" +" " #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:65 msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" -msgstr "" +msgstr "Standard: Inte satt (SSSD kommer använda värdet som hämtas från LDAP)" #. type: Content of: <varlistentry><term> #: include/homedir_substring.xml:2 msgid "homedir_substring (string)" -msgstr "" +msgstr "homedir_substring (sträng)" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:5 @@ -19416,16 +20770,23 @@ msgid "" "per-domain or globally in the [nss] section. A value specified in a domain " "section will override one set in the [nss] section." msgstr "" +"Värdet på detta alternativ kommer användas i expansionen av alternativet " +"<emphasis>override_homedir</emphasis> om mallen innehåller formatsträngen " +"<emphasis>%H</emphasis>. En LDAP-katalogpost kan innehålla denna mall " +"direkt så att detta alternativ kan användas för att expandera sökvägen till " +"hemkatalogen för varje klientmaskin (eller operativsystem). Den kan sättar " +"per domän eller globalt i avsnittet [nss]. Ett värde som anges i ett " +"domänavsnitt kommer åsidosätta ett som är satt i avsnittet [nss]." #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:15 msgid "Default: /home" -msgstr "" +msgstr "Standard: /home" #. type: Content of: <refsect1><title> #: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 msgid "MODIFIED DEFAULT OPTIONS" -msgstr "" +msgstr "ÄNDRADE STANDARDALTERNATIV" #. type: Content of: <refsect1><para> #: include/ad_modified_defaults.xml:4 @@ -19434,66 +20795,69 @@ msgid "" "defaults, these option names and AD provider-specific defaults are listed " "below:" msgstr "" +"Vissa alternativs standardvärde stämmer inte med deras respektive bakänders " +"standardvärden, dessa alternativnamn och AD-leverantörspecifika " +"standardvärden är uppräknade nedan:" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 msgid "KRB5 Provider" -msgstr "" +msgstr "KRB5-leverantör" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 msgid "krb5_validate = true" -msgstr "" +msgstr "krb5_validate = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:18 msgid "krb5_use_enterprise_principal = true" -msgstr "" +msgstr "krb5_use_enterprise_principal = true" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:24 msgid "LDAP Provider" -msgstr "" +msgstr "LDAP-leverantör" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:28 msgid "ldap_schema = ad" -msgstr "" +msgstr "ldap_schema = ad" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 msgid "ldap_force_upper_case_realm = true" -msgstr "" +msgstr "ldap_force_upper_case_realm = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:38 msgid "ldap_id_mapping = true" -msgstr "" +msgstr "ldap_id_mapping = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:43 msgid "ldap_sasl_mech = gssapi" -msgstr "" +msgstr "ldap_sasl_mech = gssapi" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:48 msgid "ldap_referrals = false" -msgstr "" +msgstr "ldap_referrals = false" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ad" -msgstr "" +msgstr "ldap_account_expire_policy = ad" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 msgid "ldap_use_tokengroups = true" -msgstr "" +msgstr "ldap_use_tokengroups = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:63 msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" -msgstr "" +msgstr "ldap_sasl_authid = sAMAccountName@RIKE (typiskt KORTNAMN$@RIKE)" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:66 @@ -19506,16 +20870,23 @@ msgid "" "known host/hostname@REALM principal is a Service Principal and thus cannot " "be used to get a TGT with." msgstr "" +"AD-leverantören letar efter en annan huvudman än LDAP-leverantören som " +"standard, eftersom huvudmännen i en Active Directory-miljö är uppdelade i " +"två grupper – användarhuvudmän och tjänstehuvudmän. Endast " +"användarhuvudmannen kan användas för att hämta en TGT och som standard är " +"datorobjekts huvudman konstruerade från dess sAMAccountName och AD-riket. " +"Den välkända huvudmannen för värd/värdnamn@RIKE är en tjänstehuvudman och " +"kan därmed inte användas för att hämta en TGT." #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:80 msgid "NSS configuration" -msgstr "" +msgstr "NSS-konfiguration" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:84 msgid "fallback_homedir = /home/%d/%u" -msgstr "" +msgstr "fallback_homedir = /home/%d/%u" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:87 @@ -19526,6 +20897,11 @@ msgid "" "and you want to avoid this fallback behavior, you can explicitly set " "\"fallback_homedir = %o\"." msgstr "" +"AD-leverantören sätter automatiskt ”fallback_homedir = /home/%d/%u” för att " +"tillhandahålla personliga hemkataloger för användare utan attributet " +"homeDirectory. Om ens AD-domän är vederbörligen populerad med Posix-" +"attribut, och man vill undvika att falla tillbaka på detta beteende, kan man " +"uttryckligen sätta ”fallback_homedir = %o”." #. type: Content of: <refsect1><para> #: include/ipa_modified_defaults.xml:4 @@ -19534,101 +20910,104 @@ msgid "" "defaults, these option names and IPA provider-specific defaults are listed " "below:" msgstr "" +"Vissa alternativs standardvärde stämmer inte med deras respektive bakänders " +"standardvärden, dessa alternativnamn och IPA-leverantörspecifika " +"standardvärden är uppräknade nedan:" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:18 msgid "krb5_use_fast = try" -msgstr "" +msgstr "krb5_use_fast = try" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:23 msgid "krb5_canonicalize = true" -msgstr "" +msgstr "krb5_canonicalize = true" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:29 msgid "LDAP Provider - General" -msgstr "" +msgstr "LDAP-leverantör – allmänt" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:33 msgid "ldap_schema = ipa_v1" -msgstr "" +msgstr "ldap_schema = ipa_v1" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSSAPI" -msgstr "" +msgstr "ldap_sasl_mech = GSSAPI" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:48 msgid "ldap_sasl_minssf = 56" -msgstr "" +msgstr "ldap_sasl_minssf = 56" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ipa" -msgstr "" +msgstr "ldap_account_expire_policy = ipa" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:64 msgid "LDAP Provider - User options" -msgstr "" +msgstr "LDAP-leverantör – användaralternativ" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:68 msgid "ldap_user_member_of = memberOf" -msgstr "" +msgstr "ldap_user_member_of = memberOf" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:73 msgid "ldap_user_uuid = ipaUniqueID" -msgstr "" +msgstr "ldap_user_uuid = ipaUniqueID" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:78 msgid "ldap_user_ssh_public_key = ipaSshPubKey" -msgstr "" +msgstr "ldap_user_ssh_public_key = ipaSshPubKey" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:83 msgid "ldap_user_auth_type = ipaUserAuthType" -msgstr "" +msgstr "ldap_user_auth_type = ipaUserAuthType" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:89 msgid "LDAP Provider - Group options" -msgstr "" +msgstr "LDAP-leverantör – gruppalternativ" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:93 msgid "ldap_group_object_class = ipaUserGroup" -msgstr "" +msgstr "ldap_group_object_class = ipaUserGroup" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:98 msgid "ldap_group_object_class_alt = posixGroup" -msgstr "" +msgstr "ldap_group_object_class_alt = posixGroup" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:103 msgid "ldap_group_member = member" -msgstr "" +msgstr "ldap_group_member = member" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:108 msgid "ldap_group_uuid = ipaUniqueID" -msgstr "" +msgstr "ldap_group_uuid = ipaUniqueID" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:113 msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" -msgstr "" +msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:118 msgid "ldap_group_external_member = ipaExternalMember" -msgstr "" +msgstr "ldap_group_external_member = ipaExternalMember" #~ msgid "" #~ "The background refresh will process users, groups and netgroups in the " @@ -19639,3 +21018,83 @@ msgstr "" #~ msgid "Default: homeDirectory" #~ msgstr "Standard: homeDirectory" + +#~ msgid "ldap_group_type (integer)" +#~ msgstr "ldap_group_type (heltal)" + +#~ msgid "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#~ msgstr "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the InteractiveLogonRight and " +#~ "DenyInteractiveLogonRight policy settings." +#~ msgstr "" +#~ "En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " +#~ "åtkomstkontroll beräknas baserat på policyinställningarna " +#~ "InteractiveLogonRight och DenyInteractiveLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the RemoteInteractiveLogonRight and " +#~ "DenyRemoteInteractiveLogonRight policy settings." +#~ msgstr "" +#~ "En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " +#~ "åtkomstkontroll beräknas baserat på policyinställningarna " +#~ "RemoteInteractiveLogonRight och DenyRemoteInteractiveLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the NetworkLogonRight and " +#~ "DenyNetworkLogonRight policy settings." +#~ msgstr "" +#~ "En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " +#~ "åtkomstkontroll beräknas baserat på policyinställningarna " +#~ "NetworkLogonRight och DenyNetworkLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +#~ "policy settings." +#~ msgstr "" +#~ "En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " +#~ "åtkomstkontroll beräknas baserat på policyinställningarna BatchLogonRight " +#~ "och DenyBatchLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the ServiceLogonRight and " +#~ "DenyServiceLogonRight policy settings." +#~ msgstr "" +#~ "En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad " +#~ "åtkomstkontroll beräknas baserat på policyinställningarna " +#~ "ServiceLogonRight och DenyServiceLogonRight." + +#~ msgid "" +#~ "The KCM service is configured in the <quote>kcm</quote> section of the " +#~ "sssd.conf file. Please note that currently, is it not sufficient to " +#~ "restart the sssd-kcm service, because the sssd configuration is only " +#~ "parsed and read to an internal configuration database by the sssd " +#~ "service. Therefore you must restart the sssd service if you change " +#~ "anything in the <quote>kcm</quote> section of sssd.conf. For a detailed " +#~ "syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +#~ "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#~ "manvolnum> </citerefentry> manual page." +#~ msgstr "" +#~ "Tjänsten KCM konfigureras i avsnittet <quote>kcm</quote> av filen sssd." +#~ "conf file. Observera att för närvarande är det inte tillräckligt att " +#~ "starta om tjänsten sssd-kcm, eftersom konfigurationen av sssd bara tolkas " +#~ "och läses till en intern konfigurationsdatabas av tjänsten sssd. Därför " +#~ "måste man starta om tjänsten sssd om man ändrar något i avsnittet " +#~ "<quote>kcm</quote> av sssd.conf. för en detaljerad syntaxreferens, se " +#~ "avsnittet <quote>FILFORMAT</quote> manualsidan <citerefentry> " +#~ "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#~ "citerefentry>." diff --git a/src/man/po/tg.po b/src/man/po/tg.po index c38fcce7e01..d723e7aa18b 100644 --- a/src/man/po/tg.po +++ b/src/man/po/tg.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-15 12:10+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/" @@ -30,7 +30,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "" @@ -73,7 +73,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "ШАРҲ" @@ -132,7 +132,7 @@ msgstr "" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -141,7 +141,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -292,12 +292,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Пешфарз: true" @@ -314,19 +314,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Пешфарз: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -349,8 +353,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Пешфарз: 10" @@ -365,7 +369,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -413,19 +417,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Пешфарз: 3" @@ -445,7 +449,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -465,12 +469,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -478,39 +482,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -525,20 +529,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -546,52 +561,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -604,17 +619,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -624,7 +639,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -637,23 +652,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -663,7 +678,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -672,22 +687,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -695,69 +710,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Пешфарз: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -765,19 +799,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -785,24 +819,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -811,7 +845,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -819,8 +853,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -828,68 +876,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -900,7 +948,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -917,7 +965,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -934,12 +982,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -948,22 +996,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -973,17 +1021,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -993,18 +1041,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1012,24 +1060,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1037,12 +1085,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1054,58 +1102,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Пешфарз: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1113,7 +1161,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1123,7 +1171,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1132,17 +1180,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Пешфарз: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1150,17 +1198,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Пешфарз: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1168,17 +1216,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1187,7 +1235,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1196,41 +1244,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Пешфарз: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1238,23 +1286,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1262,47 +1310,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1310,112 +1358,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Пешфарз: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1426,96 +1474,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Пешфарз: 0 (Номаҳдуд)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1523,59 +1571,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Пешфарз: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Пешфарз: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1584,61 +1632,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1646,7 +1694,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1655,17 +1703,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1673,31 +1721,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Пешфарз: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1707,75 +1755,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1783,19 +1831,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1803,12 +1851,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1816,77 +1864,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1894,7 +1942,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1906,63 +1954,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1970,12 +2018,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1986,7 +2034,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -1994,7 +2042,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2002,7 +2050,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2011,12 +2059,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2027,24 +2075,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2054,22 +2102,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2077,51 +2125,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2130,24 +2178,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2158,7 +2233,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2169,24 +2244,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2194,12 +2269,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2208,24 +2283,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2235,66 +2310,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2302,17 +2377,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2320,7 +2395,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2328,22 +2403,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2352,14 +2427,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2368,38 +2443,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2408,24 +2483,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2434,29 +2509,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Пешфарз: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2470,14 +2545,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2486,39 +2561,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2527,19 +2602,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2550,115 +2625,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Пешфарз: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2667,42 +2742,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2710,24 +2785,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2736,17 +2811,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Пешфарз: 0 (номаҳдуд)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2755,34 +2830,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2790,7 +2865,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2798,8 +2873,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2808,8 +2883,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2817,19 +2892,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2838,7 +2913,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2846,22 +2921,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2873,7 +2948,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2881,19 +2956,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2901,7 +2976,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2909,35 +2984,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2945,19 +3020,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2966,7 +3041,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2974,29 +3049,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3004,7 +3079,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3012,35 +3087,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3048,32 +3123,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3084,7 +3159,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3093,12 +3168,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3106,7 +3181,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3114,31 +3189,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3146,7 +3221,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3155,17 +3230,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3173,43 +3248,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3217,7 +3292,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3225,7 +3300,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3233,24 +3308,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3258,12 +3333,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3273,7 +3348,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3282,29 +3357,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3312,7 +3387,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3322,59 +3397,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3383,77 +3458,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Пешфарз: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3461,7 +3536,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3470,17 +3545,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3488,34 +3563,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3523,32 +3598,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3558,34 +3633,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3594,19 +3669,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3614,24 +3689,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3640,24 +3715,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3667,14 +3742,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3682,21 +3757,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3704,7 +3779,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3713,7 +3788,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3722,7 +3797,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3730,29 +3805,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3760,12 +3835,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3774,12 +3849,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3787,19 +3862,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3816,7 +3891,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3824,17 +3899,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3843,7 +3918,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3853,7 +3928,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3873,12 +3948,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3886,73 +3961,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Пешфарз: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3960,17 +4035,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3979,17 +4054,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -3997,17 +4072,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4015,17 +4090,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4036,69 +4111,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4111,7 +4186,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4119,7 +4194,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4128,55 +4203,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4185,17 +4260,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4203,26 +4278,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4231,17 +4306,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4251,7 +4326,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4260,59 +4335,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4320,14 +4395,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4335,7 +4410,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4343,12 +4418,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4378,7 +4453,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4387,7 +4462,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4395,7 +4470,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4406,7 +4481,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4420,7 +4495,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4476,12 +4551,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4491,33 +4566,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4526,71 +4601,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Намунаҳо:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4599,7 +4674,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4610,12 +4685,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4623,32 +4698,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4659,37 +4734,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Пешфарз: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4698,10729 +4773,10969 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "парол" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Пешфарз: парол" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" +#: sssd-ldap.5.xml:359 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Пешфарз: 2" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:386 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#: sssd-ldap.5.xml:430 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:445 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:487 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 -msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:664 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 -msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:698 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:741 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +#: sssd-ldap.5.xml:757 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 +#: sssd-ldap.5.xml:770 msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:789 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#: sssd-ldap.5.xml:810 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:814 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:862 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:877 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Пешфарз: false;" + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 -msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#: sssd-ldap.5.xml:904 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:919 +msgid "" +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:974 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:1017 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:1022 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:1027 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:1057 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1121 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "" +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Намуна:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1148 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1153 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1184 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1189 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1196 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Пешфарз: 2" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1202 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1251 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1294 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#: sssd-ldap.5.xml:1350 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1369 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1400 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 -msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1449 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1474 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1536 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1541 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1559 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1577 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "НАМУНА" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "ЭЗОҲҲО" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 -msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Пешфарз: false;" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "ФАЙЛҲО" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 -msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 +msgid "" +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 -msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 -msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Намуна:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 -msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 -msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 -msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 -msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 -msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "НАМУНА" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "ЭЗОҲҲО" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "ФАЙЛҲО" - -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 -msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 -msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 -msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 -msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 -msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#: sssd-ipa.5.xml:643 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:656 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 -msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:696 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 -msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 +msgid "" +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 -msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:495 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:515 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:531 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:549 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:554 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 -msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 -msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:638 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:657 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:663 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 -msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#: sssd-ad.5.xml:697 msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:715 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:721 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 -msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:790 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:808 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:826 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:852 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:857 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:901 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:927 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:989 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#: sssd-ad.5.xml:1004 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:1022 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:1068 msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#: sssd-ad.5.xml:1081 msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 -msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 -msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 -msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 -msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 -msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap -msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 -msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 -msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#: sss_obfuscate.8.xml:32 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#: sss_obfuscate.8.xml:37 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sss_obfuscate.8.xml:49 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"The SSSD domain to use the password in. The default name is <quote>default</" "quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"ldap_id_mapping = False\n" -" " +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 -msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 -msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 -msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 -msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 -msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 -msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 -msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 -msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#: sssd-krb5.5.xml:77 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#: sssd-krb5.5.xml:106 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap -msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:116 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:122 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#: sssd-krb5.5.xml:138 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 -msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " -msgstr "" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "Номи логин" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap -msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 -msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:225 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:243 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:257 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#: sssd-krb5.5.xml:275 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap -msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 -msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 -msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap -msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 -msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 -msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +msgid "" +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 -msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#: sss_groupadd.8.xml:48 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#: sss_userdel.8.xml:48 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#: sss_userdel.8.xml:60 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_userdel.8.xml:72 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_usermod.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_usermod.8.xml:32 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 -msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 -msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 -msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 -msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:53 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:90 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:112 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:119 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_cache.8.xml:134 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#: sss_cache.8.xml:141 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 -msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 -msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_cache.8.xml:178 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_cache.8.xml:201 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_debuglevel.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_debuglevel.8.xml:32 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 -msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +#: sss_seed.8.xml:46 msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_seed.8.xml:51 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +#: sss_seed.8.xml:63 msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 +#: sss_seed.8.xml:68 msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#: sss_seed.8.xml:117 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sss_seed.8.xml:140 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#: sss_seed.8.xml:148 msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sss_seed.8.xml:153 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 -msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 -msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 -msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 -msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 -msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "Номи логин" - -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 -msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 -msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#: sssd-secrets.5.xml:75 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:61 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:91 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sssd-secrets.5.xml:186 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 -msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#: sssd-secrets.5.xml:207 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:219 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 -msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 -msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:278 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 -msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#: sssd-secrets.5.xml:310 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 -msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:359 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#: sssd-secrets.5.xml:444 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 -msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 -msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Пешфарз: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" -msgstr "" +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Пешфарз: 6" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:32 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 -msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 #, no-wrap msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 -msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 +msgid "" +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap +msgid "" +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 -msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 -msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 -msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 -msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 -msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 -#, no-wrap -msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 -msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 -msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#: sssd-systemtap.5.xml:412 msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 -msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 -msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-ldap-attributes.5.xml:23 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap -msgid "" -"passwd: sss files\n" -"group: sss files\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 -msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap -msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 -msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 -msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 -msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 -msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Пешфарз: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Пешфарз: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#: sssd-ldap-attributes.5.xml:968 +msgid "SERVICE ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title> diff --git a/src/man/po/uk.po b/src/man/po/uk.po index 9ee730c24eb..16d288464fb 100644 --- a/src/man/po/uk.po +++ b/src/man/po/uk.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2019-06-14 04:59+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/" @@ -38,7 +38,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "Сторінки підручника SSSD" @@ -84,7 +84,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "ОПИС" @@ -154,7 +154,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -163,7 +163,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Формати файлів та правила" @@ -360,12 +360,12 @@ msgstr "" "проігноровано." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "Типове значення: true" @@ -385,19 +385,23 @@ msgstr "" "journald, цей параметр буде проігноровано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "Типове значення: false" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -424,8 +428,8 @@ msgstr "" "самостійно." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "Типове значення: 10" @@ -440,7 +444,7 @@ msgid "The [sssd] section" msgstr "Розділ [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "Параметри розділу" @@ -501,12 +505,12 @@ msgstr "" "\"systemctl enable sssd-@service@.socket\". </phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "reconnection_retries (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" @@ -516,7 +520,7 @@ msgstr "" "визнання подальших спроб безнадійними." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "Типове значення: 3" @@ -542,7 +546,7 @@ msgstr "" "ASCII, дефісів, крапок та знаків підкреслювання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "re_expression (рядок)" @@ -568,12 +572,12 @@ msgstr "" "ДОМЕНІВ." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "full_name_format (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -585,32 +589,32 @@ msgstr "" "домену." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "%1$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "ім’я користувача" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "%2$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "назва домену у форматі, вказаному у файлі налаштувань SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "%3$s" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." @@ -619,7 +623,7 @@ msgstr "" "Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -638,16 +642,35 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 +#, fuzzy +#| msgid "krb5_use_kdcinfo (boolean)" +msgid "monitor_resolv_conf (boolean)" +msgstr "krb5_use_kdcinfo (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 msgid "try_inotify (boolean)" msgstr "try_inotify (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:325 +#: sssd.conf.5.xml:338 +#, fuzzy +#| msgid "" +#| "SSSD monitors the state of resolv.conf to identify when it needs to " +#| "update its internal DNS resolver. By default, we will attempt to use " +#| "inotify for this, and will fall back to polling resolv.conf every five " +#| "seconds if inotify cannot be used." msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" "SSSD спостерігає за станом resolv.conf для визначення моменту, коли слід " "оновити дані вбудованого інструменту визначення DNS. Типово, з цією метою " @@ -655,7 +678,7 @@ msgstr "" "виконуватиметься опитування resolv.conf кожні п’ять секунд." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -665,7 +688,7 @@ msgstr "" "рідкісних випадках слід встановити для цього параметра значення «false»." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." @@ -674,7 +697,7 @@ msgstr "" "інших платформах." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." @@ -684,12 +707,12 @@ msgstr "" "опитування файла." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." @@ -698,7 +721,7 @@ msgstr "" "Kerberos." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." @@ -708,7 +731,7 @@ msgstr "" "для кешу відтворення." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" @@ -717,12 +740,12 @@ msgstr "" "(__LIBKRB5_DEFAULTS__, якщо не вказано)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "user (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -744,17 +767,17 @@ msgstr "" "користувача, від імені якого запущено відповідач NSS. </phrase>" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "Типове значення: не встановлено, процес буде запущено від імені root" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "default_domain_suffix (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -770,7 +793,7 @@ msgstr "" "лише імені користувача без додавання до нього назви домену." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 #, fuzzy #| msgid "" #| "Please note that if this option is set all users from the primary domain " @@ -796,23 +819,23 @@ msgstr "" "use_fully_qualified_names рівним False." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "Типове значення: not set" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "override_space (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -827,7 +850,7 @@ msgstr "" "через типовий роздільник полів у оболонці." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -840,22 +863,22 @@ msgstr "" "але, загалом, результат пошуку буде невизначеним." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "Типове значення: не встановлено (пробіли не замінятимуться)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "certificate_verification (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "no_ocsp" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -866,57 +889,78 @@ msgstr "" "у сертифікаті, є недоступними з клієнта." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +#, fuzzy +#| msgid "no_ocsp" +msgid "soft_ocsp" +msgstr "no_ocsp" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 5" msgid "Default: sha256" msgstr "Типове значення: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "no_verification" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." @@ -925,12 +969,12 @@ msgstr "" "тестування." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "ocsp_default_responder=URL" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -941,7 +985,7 @@ msgstr "" "відповідача, наприклад http://example.com:80/ocsp." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." @@ -950,12 +994,12 @@ msgstr "" "ocsp_default_responder_signing_cert." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "ocsp_default_responder_signing_cert=НАЗВА" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -966,13 +1010,13 @@ msgstr "" "альтернативною назвою має зберігатися у базі даних NSS системи." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" "Цим параметром слід користуватися разом із параметром ocsp_default_responder." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." @@ -982,12 +1026,12 @@ msgstr "" "pam_cert_db_path." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "crl_file=/ШЛЯХ/ДО/ФАЙЛА/CRL" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -1000,7 +1044,7 @@ msgstr "" "відкликання сертифікатів (CRL) до бази даних NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -1012,8 +1056,22 @@ msgstr "" "форматі PEM, див. <citerefentry> <refentrytitle>crl</refentrytitle> " "<manvolnum>1ssl</manvolnum> </citerefentry>, щоб дізнатися більше." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -1024,36 +1082,36 @@ msgstr "" "параметри: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "Цю сторінку підручника було створено для версії NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "Цю сторінку підручника було створено для версії OpenSSL." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" "Обробник параметрів повідомлятиме про невідомі параметри і просто " "ігноруватиме їх." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" "Типове значення: не встановлено, тобто перевірка сертифікатів нічим не " "обмежуватиметься" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "disable_netlink (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." @@ -1062,7 +1120,7 @@ msgstr "" "адресах, посилання та виконання певних дій." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" @@ -1071,17 +1129,17 @@ msgstr "" "можна вимкнути встановленням для цього параметра значення «true»" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "Типове значення: false (виявлення змін у netlink)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "enable_files_domain (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." @@ -1090,12 +1148,12 @@ msgstr "" "<quote>id_provider=files</quote> до усіх явним чином налаштованих доменів." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "domain_resolution_order" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -1112,7 +1170,7 @@ msgstr "" "відбуватиметься у випадковому порядку для кожного батьківського домену." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -1143,7 +1201,7 @@ msgstr "" "різних доменах можуть бути однаковими." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "Типове значення: не встановлено" @@ -1165,12 +1223,12 @@ msgstr "" "профілів. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "РОЗДІЛИ СЛУЖБ" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -1183,22 +1241,22 @@ msgstr "" "у розділі <quote>[nss]</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "Загальні параметри налаштування служб" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "Цими параметрами можна скористатися для налаштування будь-яких служб." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "fd_limit" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -1214,17 +1272,17 @@ msgstr "" "цього параметра і обмеженням \"hard\" у limits.conf." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "Типове значення: 8192 (або обмеження у limits.conf \"hard\")" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "client_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1240,18 +1298,18 @@ msgstr "" "до 10 секунд." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "Типове значення: 60" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "offline_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1263,12 +1321,12 @@ msgstr "" "значення вказується у секундах і обчислюється за такою формулою:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "час_очікування_для_переходу_у_автономний_режим + випадковий_зсув" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" @@ -1278,12 +1336,12 @@ msgstr "" "таким чином:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "новий_інтервал = старий_інтервал*2 + випадковий_зсув" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1294,12 +1352,12 @@ msgstr "" "перевищує годину, буде встановлено інтервал у одну годину." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "responder_idle_timeout" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1318,18 +1376,18 @@ msgstr "" "і якщо служби активуються за допомогою або сокетів або D-Bus." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "Типове значення: 300" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "cache_first" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." @@ -1338,12 +1396,12 @@ msgstr "" "запису до модулів засобів надання даних." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "Параметри налаштування NSS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" @@ -1351,12 +1409,12 @@ msgstr "" "Switch (NSS або перемикання служби визначення назв)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "enum_cache_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" @@ -1365,17 +1423,17 @@ msgstr "" "кеші nss_sss у секундах" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "Типове значення: 120" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "entry_cache_nowait_percentage (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1386,7 +1444,7 @@ msgstr "" "entry_cache_timeout для домену період часу." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1401,7 +1459,7 @@ msgstr "" "розблокування після оновлення кешу." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1415,17 +1473,17 @@ msgstr "" "можливість." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "Типове значення: 50" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "entry_negative_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1436,17 +1494,17 @@ msgstr "" "даних, зокрема неіснуючих) перед повторним запитом до сервера обробки." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "Типове значення: 15" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "local_negative_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1458,17 +1516,17 @@ msgstr "" "цю можливість." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "Типове значення: 14400 (4 години)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "filter_users, filter_groups (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1483,7 +1541,7 @@ msgstr "" "реєстраційного запису користувача (UPN)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1497,17 +1555,17 @@ msgstr "" "відфільтрованої групи." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "Типове значення: root" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "filter_users_in_groups (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" @@ -1515,12 +1573,12 @@ msgstr "" "встановіть для цього параметра значення «false»." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "fallback_homedir (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." @@ -1529,7 +1587,7 @@ msgstr "" "каталог не вказано явним чином засобом надання даних домену." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" @@ -1537,7 +1595,7 @@ msgstr "" "для параметра override_homedir." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1547,25 +1605,25 @@ msgstr "" " " #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "приклад: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" "Типове значення: не встановлено (без замін для невстановлених домашніх " "каталогів)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "override_shell (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1577,19 +1635,19 @@ msgstr "" "або для кожного з доменів окремо." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" "Типове значення: не встановлено (SSSD використовуватиме значення, отримане " "від LDAP)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "allowed_shells (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" @@ -1597,13 +1655,13 @@ msgstr "" "визначення оболонки є таким:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" "1. Якщо оболонку вказано у <quote>/etc/shells</quote>, її буде використано." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." @@ -1613,7 +1671,7 @@ msgstr "" "shell_fallback." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." @@ -1622,14 +1680,14 @@ msgstr "" "<quote>/etc/shells</quote>, буде використано оболонку nologin." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" "Для визначення будь-якої командної оболонки можна скористатися шаблоном " "заміни (*)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1641,12 +1699,12 @@ msgstr "" "справою." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "Порожній рядок оболонки буде передано без обробки до libc." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." @@ -1655,29 +1713,29 @@ msgstr "" "тобто у разі встановлення нової оболонки слід перезапустити SSSD." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" "Типове значення: не встановлено. Автоматично використовується оболонка " "користувача." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "vetoed_shells (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "Замінити всі записи цих оболонок на shell_fallback" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "shell_fallback (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" @@ -1685,17 +1743,17 @@ msgstr "" "системі не встановлено." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "Типове значення: /bin/sh" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "default_shell" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." @@ -1705,7 +1763,7 @@ msgstr "" "або на загальному рівні у розділі [nss], або окремо для кожного з доменів." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" @@ -1715,12 +1773,12 @@ msgstr "" "зазвичай /bin/sh)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "get_domains_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." @@ -1729,12 +1787,12 @@ msgstr "" "чинним." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "memcache_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." @@ -1744,7 +1802,7 @@ msgstr "" "пам'яті." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." @@ -1753,7 +1811,7 @@ msgstr "" "варто користуватися лише для тестування." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." @@ -1763,12 +1821,12 @@ msgstr "" "пам’яті." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "user_attributes (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1785,7 +1843,7 @@ msgstr "" "manvolnum> </citerefentry>, щоб дізнатися більше), але без типових значень." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." @@ -1794,19 +1852,19 @@ msgstr "" "на те, чи не встановлено його для відповідача NSS." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" "Типове значення: не встановлено, резервне значення визначається за " "параметром InfoPipe" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "pwfield (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." @@ -1815,13 +1873,13 @@ msgstr "" "груп, для поля <quote>password</quote>." #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" "Значення цього параметра можна встановлювати для кожного з доменів окремо." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" @@ -1830,12 +1888,12 @@ msgstr "" "(файловий домен)" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "Параметри налаштування PAM" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." @@ -1844,12 +1902,12 @@ msgstr "" "Authentication Module (PAM або блокового модуля розпізнавання)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "offline_credentials_expiration (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." @@ -1859,17 +1917,17 @@ msgstr "" "входу до системи)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "Типове значення: 0 (без обмежень)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "offline_failed_login_attempts (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." @@ -1878,12 +1936,12 @@ msgstr "" "дозволену кількість спроб входу з визначенням помилкового пароля." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "offline_failed_login_delay (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." @@ -1893,7 +1951,7 @@ msgstr "" "системи." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1905,17 +1963,17 @@ msgstr "" "увімкнути можливість автономного розпізнавання." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "Типове значення: 5" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "pam_verbosity (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." @@ -1924,43 +1982,43 @@ msgstr "" "розпізнавання. Чим більшим є значення, тим більше повідомлень буде показано." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "У поточній версії sssd передбачено підтримку таких значень:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "<emphasis>0</emphasis>: не показувати жодних повідомлень" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "<emphasis>1</emphasis>: показувати лише важливі повідомлення" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "<emphasis>2</emphasis>: показувати всі інформаційні повідомлення" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" "<emphasis>3</emphasis>: показувати всі повідомлення та діагностичні дані" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "Типове значення: 1" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "pam_response_filter (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1974,7 +2032,7 @@ msgstr "" "встановлювати за допомогою pam_sss." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." @@ -1984,37 +2042,37 @@ msgstr "" "повідомлень." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "ENV" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "Не надсилати жодних змінних середовища до жодної служби." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "ENV:назва_змінної" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "Не надсилати змінної середовища назва_змінної до жодної служби." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "ENV:назва_змінної:служба" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "Не надсилати змінної середовища назва_змінної до вказаної служби." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -2023,17 +2081,17 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "Приклад: ENV:KRB5CCNAME:sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "pam_id_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -2044,7 +2102,7 @@ msgstr "" "що розпізнавання виконується на основі найсвіжіших даних." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -2058,18 +2116,18 @@ msgstr "" "надання даних профілів." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "pam_pwd_expiration_warning (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" "Показати попередження за вказану кількість днів перед завершенням дії пароля." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2080,7 +2138,7 @@ msgstr "" "попередження." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." @@ -2090,7 +2148,7 @@ msgstr "" "буде автоматично показано." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." @@ -2099,17 +2157,17 @@ msgstr "" "<emphasis>pwd_expiration_warning</emphasis> для окремого домену." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "Типове значення: 0" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "pam_trusted_users (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -2125,13 +2183,13 @@ msgstr "" "під час запуску системи." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" "Типове значення: типово усі користувачі вважаються надійними (довіреними)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." @@ -2140,12 +2198,12 @@ msgstr "" "відповідача PAM, навіть якщо користувача немає у списку pam_trusted_users." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "pam_public_domains (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." @@ -2154,12 +2212,12 @@ msgstr "" "отримувати навіть ненадійні користувачі." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "Визначено два спеціальних значення параметра pam_public_domains:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" @@ -2167,7 +2225,7 @@ msgstr "" "PAM.)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" @@ -2176,19 +2234,19 @@ msgstr "" "відповідачі.)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "Типове значення: none" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "pam_account_expired_message (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." @@ -2197,7 +2255,7 @@ msgstr "" "замінити типове повідомлення «Доступ заборонено» («Permission denied»)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." @@ -2207,7 +2265,7 @@ msgstr "" "(показувати усі повідомлення і діагностичні дані)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -2217,12 +2275,12 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "pam_account_locked_message (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." @@ -2231,7 +2289,7 @@ msgstr "" "типове повідомлення «Доступ заборонено» («Permission denied»)." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -2241,12 +2299,12 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "pam_cert_auth (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -2257,19 +2315,19 @@ msgstr "" "розпізнавання, типово таку сертифікацію вимкнено." #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "Типове значення: False" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "pam_cert_db_path (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." @@ -2278,17 +2336,17 @@ msgstr "" "смарткартки." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "Типове значення:" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "/etc/pki/nssdb (версія NSS, шлях до бази даних NSS)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" @@ -2297,24 +2355,24 @@ msgstr "" "довіреними сертифікатами служб сертифікації у форматі PEM)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "p11_child_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" "Час у секундах, протягом якого pam_sss очікуватиме на завершення роботи " "p11_child." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "pam_app_services (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" @@ -2323,12 +2381,12 @@ msgstr "" "типу <quote>application</quote>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "pam_p11_allowed_services (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." @@ -2337,7 +2395,7 @@ msgstr "" "використання смарткарток." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -2347,7 +2405,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -2366,64 +2424,64 @@ msgstr "" "type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" "Типове значення: типовий набір назв служб PAM складається з таких значень:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "login" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "su" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "su-l" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "gdm-smartcard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "gdm-password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "kdm" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "sudo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "sudo-i" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "gnome-screensaver" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "p11_wait_for_card_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -2434,12 +2492,12 @@ msgstr "" "має чекати на вставлення смарткартки." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "p11_uri (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -2458,7 +2516,7 @@ msgstr "" "слід використовувати вказаний зчитувач." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2468,7 +2526,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2478,7 +2536,7 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2492,12 +2550,12 @@ msgstr "" "який покаже і адреси PKCS#11." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "Параметри налаштування SUDO" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2515,12 +2573,12 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "sudo_timed (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." @@ -2529,12 +2587,12 @@ msgstr "" "призначені для визначення часових обмежень для записів sudoers." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "sudo_threshold (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2550,22 +2608,22 @@ msgstr "" "sudo IPA та групових пошуків команд." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "Параметри налаштування AUTOFS" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "Цими параметрами можна скористатися для налаштування служби autofs." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "autofs_negative_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2576,22 +2634,22 @@ msgstr "" "базі даних, зокрема неіснуючих) перед повторним запитом до сервера обробки." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "Параметри налаштувань SSH" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "Цими параметрами можна скористатися для налаштування служби SSH." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "ssh_hash_known_hosts (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." @@ -2599,12 +2657,12 @@ msgstr "" "Чи слід хешувати назви та адреси вузлів у керованому файлі known_hosts." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "ssh_known_hosts_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." @@ -2613,17 +2671,17 @@ msgstr "" "файлі known_hosts після надсилання запиту щодо ключів вузла." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "Типове значення: 180" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "ssh_use_certificate_keys (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2637,12 +2695,43 @@ msgstr "" "refentrytitle> <manvolnum>1</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "ldap_user_certificate (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +#, fuzzy +#| msgid "Default: not set (spaces will not be replaced)" +msgid "Default: not set, all found rules are used" +msgstr "Типове значення: не встановлено (пробіли не замінятимуться)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "ca_db (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." @@ -2651,12 +2740,12 @@ msgstr "" "перевірки сертифікатів користувачів до отримання з них відкритих ключів ssh." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "Параметри налаштування відповідача PAC" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2674,7 +2763,7 @@ msgstr "" "декодовано і визначено, виконуються деякі з таких дій:" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2692,7 +2781,7 @@ msgstr "" "параметра default_shell." #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." @@ -2701,18 +2790,18 @@ msgstr "" "додано до цих груп." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" "Цими параметрами можна скористатися для налаштовування відповідача PAC." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "allowed_uids (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2723,14 +2812,14 @@ msgstr "" "іменами користувачів визначатимуться під час запуску." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" "Типове значення: 0 (доступ до відповідача PAC має лише адміністративний " "користувач (root))" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2744,12 +2833,12 @@ msgstr "" "запис 0." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "pac_lifetime (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." @@ -2758,12 +2847,12 @@ msgstr "" "використовувати для визначення членства користувача у групі." #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "Параметри налаштовування запису сеансів" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2778,32 +2867,32 @@ msgstr "" "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "Цими параметрами можна скористатися для налаштовування запису сеансів." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "scope (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "\"none\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "Користувачі не записуються." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "\"some\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." @@ -2812,17 +2901,17 @@ msgstr "" "<replaceable>користувачі</replaceable> і <replaceable>групи</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "\"all\"" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "Усі користувачі записуються." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -2831,17 +2920,17 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "Типове значення: none" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "users (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2853,17 +2942,17 @@ msgstr "" "тощо." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "Типове значення: порожнє. Не відповідає жодному користувачу." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "groups (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2875,7 +2964,7 @@ msgstr "" "символів тощо." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2887,22 +2976,22 @@ msgstr "" "належить користувач." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "Типове значення: порожнє. Не відповідає жодній групі." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "РОЗДІЛИ ДОМЕНІВ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "domain_type (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2915,7 +3004,7 @@ msgstr "" "з доменів POSIX." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." @@ -2924,7 +3013,7 @@ msgstr "" "<quote>application</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2936,7 +3025,7 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) і відповідача PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." @@ -2945,7 +3034,7 @@ msgstr "" "application з <quote>id_provider=ldap</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." @@ -2954,17 +3043,17 @@ msgstr "" "ласка, ознайомтеся із розділом <quote>Домени програм</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "Типове значення: posix" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "min_id,max_id (ціле значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." @@ -2973,7 +3062,7 @@ msgstr "" "відповідає цим обмеженням, його буде проігноровано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2986,7 +3075,7 @@ msgstr "" "основної групи і належать діапазону, буде виведено у звичайному режимі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." @@ -2995,17 +3084,17 @@ msgstr "" "лише повернення записів за назвою або ідентифікатором." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "Типові значення: 1 для min_id, 0 (без обмежень) для max_id" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "enumerate (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -3018,22 +3107,22 @@ msgstr "" "мати такі значення:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "TRUE = користувачі і групи нумеруються" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "FALSE = не використовувати нумерацію для цього домену" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "Типове значення: FALSE" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." @@ -3042,7 +3131,7 @@ msgstr "" "користувачів і груп із віддаленого сервера." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -3065,7 +3154,7 @@ msgstr "" "<quote>sssd_be</quote> або навіть перезапуску усього засобу стеження." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." @@ -3075,7 +3164,7 @@ msgstr "" "завершено." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -3089,7 +3178,7 @@ msgstr "" "відповідного використаного засобу обробки ідентифікаторів (id_provider)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." @@ -3098,32 +3187,32 @@ msgstr "" "об’ємних середовищах." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "subdomain_enumerate (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "all" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "Усі виявлені надійні домени буде пронумеровано" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "none" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "Нумерація виявлених надійних доменів не виконуватиметься" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -3136,12 +3225,12 @@ msgstr "" "доменів, для яких буде увімкнено нумерацію." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "entry_cache_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" @@ -3150,7 +3239,7 @@ msgstr "" "надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -3167,17 +3256,17 @@ msgstr "" "<manvolnum>8</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "Типове значення: 5400" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "entry_cache_user_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" @@ -3186,19 +3275,19 @@ msgstr "" "чинними, перш ніж надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "Типове значення: entry_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "entry_cache_group_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" @@ -3207,12 +3296,12 @@ msgstr "" "ніж надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "entry_cache_netgroup_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" @@ -3221,12 +3310,12 @@ msgstr "" "чинними, перш ніж надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "entry_cache_service_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" @@ -3235,12 +3324,12 @@ msgstr "" "ніж надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "entry_cache_sudo_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" @@ -3249,12 +3338,12 @@ msgstr "" "надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "entry_cache_autofs_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" @@ -3263,12 +3352,12 @@ msgstr "" "чинними, перш ніж надсилати повторний запит до сервера" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "entry_cache_ssh_host_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." @@ -3278,12 +3367,12 @@ msgstr "" "вузла у кеші." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "refresh_expired_interval (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." @@ -3293,7 +3382,7 @@ msgstr "" "вичерпано або майже вичерпано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -3302,7 +3391,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 #, fuzzy #| msgid "" #| "This option specifies the maximum allowed number of nested containers." @@ -3311,42 +3400,42 @@ msgstr "" "Цей параметр визначає максимальну дозволену кількість вкладених контейнерів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" "Варто визначити для цього параметра значення 3/4 * entry_cache_timeout." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "Типове значення: 0 (вимкнено)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "cache_credentials (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" "Визначає, чи слід також кешувати реєстраційні дані користувача у локальному " "кеші LDB" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" "Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у " "форматі звичайного тексту" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "cache_credentials_minimal_first_factor_length (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -3358,7 +3447,7 @@ msgstr "" "контрольної суми SHA512 у кеші." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." @@ -3368,17 +3457,17 @@ msgstr "" "мішенню атак із перебиранням паролів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "Типове значення: 8" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "account_cache_expiration (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -3391,17 +3480,17 @@ msgstr "" "offline_credentials_expiration." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "Типове значення: 0 (без обмежень)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "pwd_expiration_warning (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -3414,17 +3503,17 @@ msgstr "" "даних розпізнавання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "Типове значення: 7 (Kerberos), 0 (LDAP)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "id_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" @@ -3432,12 +3521,12 @@ msgstr "" "Серед підтримуваних засобів такі:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "«proxy»: підтримка застарілого модуля надання даних NSS" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" @@ -3445,7 +3534,7 @@ msgstr "" "(ЗАСТАРІЛИЙ)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3457,7 +3546,7 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -3468,8 +3557,8 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -3482,8 +3571,8 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3495,12 +3584,12 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "use_fully_qualified_names (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." @@ -3510,7 +3599,7 @@ msgstr "" "NSS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -3523,7 +3612,7 @@ msgstr "" "не покаже користувача, а <command>getent passwd test@LOCAL</command> покаже." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -3534,22 +3623,22 @@ msgstr "" "груп, якщо задано неповну назву, буде виконано пошук у всіх доменах." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "Типове значення: FALSE (TRUE, якщо використано default_domain_suffix)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "ignore_group_members (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "Не повертати записи учасників груп для пошуків груп." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -3568,7 +3657,7 @@ msgstr "" "$groupname</quote> поверне запитану групу так, наче вона була порожня." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -3579,12 +3668,12 @@ msgstr "" "учасників." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "auth_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" @@ -3593,7 +3682,7 @@ msgstr "" "служб розпізнавання:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3605,7 +3694,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3617,23 +3706,23 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "<quote>local</quote>: вбудований засіб SSSD для локальних користувачів" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "<quote>none</quote> — вимкнути розпізнавання повністю." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." @@ -3642,12 +3731,12 @@ msgstr "" "спосіб встановлено і можлива обробка запитів щодо розпізнавання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "access_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -3658,7 +3747,7 @@ msgstr "" "Вбудованими програмами є:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." @@ -3667,12 +3756,12 @@ msgstr "" "доступу для локального домену." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "<quote>deny</quote> — завжди забороняти доступ." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -3685,7 +3774,7 @@ msgstr "" "refentrytitle> <manvolnum>5</manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -3697,24 +3786,24 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" "<quote>proxy</quote> — для трансляції керування доступом до іншого модуля " "PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "Типове значення: <quote>permit</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "chpass_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" @@ -3723,7 +3812,7 @@ msgstr "" "підтримку таких систем зміни паролів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3735,7 +3824,7 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3747,18 +3836,18 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." @@ -3767,19 +3856,19 @@ msgstr "" "цього параметра і якщо система здатна обробляти запити щодо паролів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "sudo_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" "Служба SUDO, яку використано для цього домену. Серед підтримуваних служб " "SUDO:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3791,7 +3880,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." @@ -3800,7 +3889,7 @@ msgstr "" "параметрами IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." @@ -3809,20 +3898,20 @@ msgstr "" "параметрами AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "<quote>none</quote> явним чином вимикає SUDO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" "Типове значення: використовується значення <quote>id_provider</quote>, якщо " "його встановлено." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3841,7 +3930,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3855,12 +3944,12 @@ msgstr "" "sudo у SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "selinux_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3871,7 +3960,7 @@ msgstr "" "доступу. Передбачено підтримку таких засобів надання даних SELinux:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3883,14 +3972,14 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" "<quote>none</quote> явним чином забороняє отримання даних щодо параметрів " "SELinux." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." @@ -3899,12 +3988,12 @@ msgstr "" "спосіб встановлено і можлива обробка запитів щодо завантаження SELinux." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "subdomains_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" @@ -3914,7 +4003,7 @@ msgstr "" "підтримку таких засобів надання даних піддоменів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3926,7 +4015,7 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3939,17 +4028,17 @@ msgstr "" "налаштовування засобу надання даних AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "<quote>none</quote> забороняє ячним чином отримання даних піддоменів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "session_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3961,14 +4050,14 @@ msgstr "" "постачальники даних сеансів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" "<quote>ipa</quote>, щоб дозволити пов'язані із сеансами користувачів " "завдання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" @@ -3976,7 +4065,7 @@ msgstr "" "користувачів завдань." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." @@ -3985,7 +4074,7 @@ msgstr "" "його встановлено і дозволено виконувати пов'язані із сеансами завдання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." @@ -3995,12 +4084,12 @@ msgstr "" "непривілейованого користувача." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "autofs_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" @@ -4008,7 +4097,7 @@ msgstr "" "autofs:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -4020,7 +4109,7 @@ msgstr "" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -4032,7 +4121,7 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -4044,17 +4133,17 @@ msgstr "" "надання даних AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "<quote>none</quote> вимикає autofs повністю." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "hostid_provider (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" @@ -4063,7 +4152,7 @@ msgstr "" "вузла. Серед підтримуваних засобів надання hostid:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -4075,12 +4164,12 @@ msgstr "" "manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "<quote>none</quote> вимикає hostid повністю." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -4094,7 +4183,7 @@ msgstr "" "IPA та доменів Active Directory, простій назві (NetBIOS) домену." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -4107,22 +4196,22 @@ msgstr "" "різні стилі запису імен користувачів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "користувач" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "користувач@назва.домену" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "домен\\користувач" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." @@ -4131,7 +4220,7 @@ msgstr "" "того, щоб полегшити інтеграцію користувачів з доменів Windows." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -4142,7 +4231,7 @@ msgstr "" "домену — все після цього символу." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -4158,17 +4247,17 @@ msgstr "" "[^@]+$))</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "Типове значення: <quote>%1$s@%2$s</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "lookup_family_order (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." @@ -4177,48 +4266,48 @@ msgstr "" "під час виконання пошуків у DNS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "Передбачено підтримку таких значень:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" "ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі " "спробувати формат IPv6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" "ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" "ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі " "спробувати формат IPv4" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" "ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "Типове значення: ipv4_first" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "dns_resolver_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -4231,7 +4320,7 @@ msgstr "" "роботу у автономному режимі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." @@ -4240,18 +4329,18 @@ msgstr "" "більше про розв'язування питань, пов'язаних із службами." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "Типове значення: 6" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "dns_discovery_domain (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." @@ -4260,54 +4349,54 @@ msgstr "" "частину запиту визначення служб DNS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" "Типова поведінка: використовувати назву домену з назви вузла комп’ютера." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "override_gid (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "Замірити значення основного GID на вказане." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "case_sensitive (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "True" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" "Враховується регістр. Це значення є некоректним для засобу надання даних AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "False" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "Без врахування регістру." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "Preserving" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -4319,7 +4408,7 @@ msgstr "" "буде переведено у нижній регістр." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -4332,17 +4421,17 @@ msgstr "" "<placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "Типове значення: True (False для засобу надання даних AD)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "subdomain_inherit (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -4354,27 +4443,27 @@ msgstr "" "параметрів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "ignore_group_members" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "ldap_purge_cache_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "ldap_use_tokengroups" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "ldap_user_principal" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" @@ -4383,7 +4472,7 @@ msgstr "" "ldap_krb5_keytab не встановлено явним чином)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -4393,33 +4482,33 @@ msgstr "" " " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" "Зауваження: цей параметр працює лише для засобів надання даних IPA і AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "subdomain_homedir (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "%F" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "спрощена (NetBIOS) назва піддомену." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -4434,7 +4523,7 @@ msgstr "" "emphasis>. <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" @@ -4442,17 +4531,17 @@ msgstr "" "emphasis>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "Типове значення: <filename>/home/%d/%u</filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "realmd_tags (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" @@ -4460,12 +4549,12 @@ msgstr "" "домену." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "cached_auth_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -4479,7 +4568,7 @@ msgstr "" "розпізнавання." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." @@ -4489,12 +4578,12 @@ msgstr "" "значення для різних довірених доменів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "Спеціальне значення 0 означає, що цю можливість вимкнено." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -4505,17 +4594,17 @@ msgstr "" "обробки <quote>initgroups</quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "auto_private_groups (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "true" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." @@ -4524,7 +4613,7 @@ msgstr "" "користувача. У цьому випадку номер GID буде проігноровано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -4537,12 +4626,12 @@ msgstr "" "примусово встановлює унікальність записів у просторі ідентифікаторів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "false" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." @@ -4551,12 +4640,12 @@ msgstr "" "вказувати на об'єкт групи у базі даних LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "hybrid" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 #, fuzzy #| msgid "" #| "A primary group is autogenerated for user entries whose UID and GID " @@ -4578,7 +4667,7 @@ msgstr "" "цього користувача визначатиме цей об'єкт групи." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." @@ -4587,7 +4676,7 @@ msgstr "" "групи, інакше надійне визначення GID буде просто неможливим." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -4598,7 +4687,7 @@ msgstr "" "збереженням наявних приватних груп для користувачів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -4607,7 +4696,7 @@ msgstr "" "type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." @@ -4617,7 +4706,7 @@ msgstr "" "використовується автоматична прив'язка до ідентифікаторів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -4627,7 +4716,7 @@ msgstr "" "auto_private_groups = false\n" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -4639,7 +4728,7 @@ msgstr "" "auto_private_groups = false\n" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -4653,7 +4742,7 @@ msgstr "" "\"programlisting\" id=\"1\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -4664,17 +4753,17 @@ msgstr "" "quote> <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "proxy_pam_target (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "Комп’ютер, для якого виконує проксі-сервер PAM." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." @@ -4683,12 +4772,12 @@ msgstr "" "налаштуваннями pam або створити нові і тут додати назву служби." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "proxy_lib_name (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -4699,12 +4788,12 @@ msgstr "" "наприклад _nss_files_getpwent." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "proxy_fast_alias (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -4719,12 +4808,12 @@ msgstr "" "у кеші, щоб пришвидшити надання результатів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "proxy_max_children (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -4736,7 +4825,7 @@ msgstr "" "використання черги запитів." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" @@ -4745,12 +4834,12 @@ msgstr "" "\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "Домени програм (application)" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -4778,7 +4867,7 @@ msgstr "" "який може успадковувати параметр з традиційного домену SSSD." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -4789,17 +4878,17 @@ msgstr "" "його доменом-близнюком у POSIX має бути встановлено належним чином." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "Параметри доменів програм" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "inherit_from (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -4811,7 +4900,7 @@ msgstr "" "розширюють або перевизначають параметри домену-<quote>близнюка</quote>." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -4826,7 +4915,7 @@ msgstr "" "у кеші і робить атрибут phone доступним через інтерфейс D-Bus." #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -4860,12 +4949,12 @@ msgstr "" "ldap_user_extra_attrs = phone:telephoneNumber\n" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "Розділ локального домену" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -4876,29 +4965,29 @@ msgstr "" "використовує <replaceable>id_provider=local</replaceable>." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "default_shell (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" "Типова оболонка для записів користувачів, створених за допомогою " "інструментів простору користувачів SSSD." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "Типове значення: <filename>/bin/bash</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "base_directory (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." @@ -4907,17 +4996,17 @@ msgstr "" "replaceable> і використовують отриману адресу як адресу домашнього каталогу." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "Типове значення: <filename>/home</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "create_homedir (булеве значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." @@ -4926,17 +5015,17 @@ msgstr "" "Може бути перевизначено з командного рядка." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "Типове значення: TRUE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "remove_homedir (булівське значення)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." @@ -4945,12 +5034,12 @@ msgstr "" "користувачів. Може бути перевизначено з командного рядка." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "homedir_umask (ціле число)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -4961,17 +5050,17 @@ msgstr "" "до щойно створеного домашнього каталогу." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "Типове значення: 077" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "skel_dir (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -4984,17 +5073,17 @@ msgstr "" "<manvolnum>8</manvolnum> </citerefentry>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "Типове значення: <filename>/etc/skel</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "mail_dir (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -5005,17 +5094,17 @@ msgstr "" "каталог не вказано, буде використано типове значення." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "Типове значення: <filename>/var/mail</filename>" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "userdel_cmd (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -5026,17 +5115,17 @@ msgstr "" "вилучається. Код виконання, повернутий програмою не обробляється." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "Типове значення: None, не виконувати жодних команд" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "РОЗДІЛ ДОВІРЕНИХ ДОМЕНІВ" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -5054,57 +5143,57 @@ msgstr "" "такі параметри:" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "ldap_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "ldap_user_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "ldap_group_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "ldap_netgroup_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "ldap_service_search_base," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "ldap_sasl_mech," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "ad_server," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "ad_backup_server," #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "ad_site," #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "use_fully_qualified_names" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." @@ -5113,12 +5202,12 @@ msgstr "" "підручника." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "РОЗДІЛ ПРИВ'ЯЗКИ СЕРТИФІКАТІВ" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -5141,7 +5230,7 @@ msgstr "" "використовують для розпізнавання PAM." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -5153,7 +5242,7 @@ msgstr "" "citerefentry>)." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -5166,12 +5255,12 @@ msgstr "" "replaceable>]</quote>. У цьому розділі можна використовувати такі параметри:" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "matchrule (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." @@ -5180,7 +5269,7 @@ msgstr "" "цьому правилу. Усі інші сертифікати буде проігноровано." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" @@ -5190,17 +5279,17 @@ msgstr "" "<quote>clientAuth</quote>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "maprule (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "Визначає спосіб пошуку користувача для вказаного сертифіката." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." @@ -5209,7 +5298,7 @@ msgstr "" "даних, зокрема <quote>ldap</quote>, <quote>AD</quote> та <quote>ipa</quote>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." @@ -5218,12 +5307,12 @@ msgstr "" "запис користувача і такою самою назвою." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "domains (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -5236,17 +5325,17 @@ msgstr "" "параметр можна використати і для додавання правила до піддоменів." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "Типове значення: домен, який налаштовано у sssd.conf" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "priority (ціле число)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -5257,12 +5346,12 @@ msgstr "" "пріоритетність, а <quote>4294967295</quote> — найнижча." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "Типове значення: найнижча пріоритетність" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" @@ -5272,7 +5361,7 @@ msgstr "" "спеціальних властивостей:" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" @@ -5281,7 +5370,7 @@ msgstr "" "відповідного облікового запису користувача" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -5294,17 +5383,17 @@ msgstr "" "quote> або <quote>({назва_об'єкта_rfc822.коротка_назва})</quote>" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "параметр <quote>domains</quote> буде проігноровано" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "РОЗДІЛ НАЛАШТОВУВАННЯ ЗАПИТІВ" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -5320,7 +5409,7 @@ msgstr "" "реєстраційних даних." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 #, fuzzy #| msgid "" #| "With the growing number of authentication methods and the possibility " @@ -5340,22 +5429,22 @@ msgstr "" "випадках мають забезпечити описані нижче параметри." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "[prompting/password]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "password_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "для зміни рядка запиту пароля" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" @@ -5364,37 +5453,37 @@ msgstr "" "type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "[prompting/2fa]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "first_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "для зміни рядка запиту для першого фактора" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "second_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "для зміни рядка запиту для другого фактора" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "single_prompt" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 #, fuzzy #| msgid "" #| "boolean value, if True there will be only a single prompt using the value " @@ -5410,7 +5499,7 @@ msgstr "" "рядок." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" @@ -5419,7 +5508,7 @@ msgstr "" "параметри: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 #, fuzzy #| msgid "" #| "Each supported authentication method has it's own configuration sub-" @@ -5437,7 +5526,7 @@ msgstr "" "\"variablelist\" id=\"1\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 #, fuzzy #| msgid "" #| "It is possible to add a sub-section for specific PAM services like e.g. " @@ -5453,12 +5542,12 @@ msgstr "" "для цієї служби." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "ПРИКЛАДИ" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -5512,7 +5601,7 @@ msgstr "" "enumerate = False\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -5525,7 +5614,7 @@ msgstr "" "\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -5535,7 +5624,7 @@ msgstr "" "use_fully_qualified_names = false\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -5552,7 +5641,7 @@ msgstr "" "\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -5574,7 +5663,7 @@ msgstr "" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -5653,12 +5742,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "ПАРАМЕТРИ НАЛАШТУВАННЯ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "ldap_uri, ldap_backup_uri (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -5673,34 +5762,34 @@ msgstr "" "служб. Докладніші відомості можна знайти у розділі «ПОШУК СЛУЖБ»." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "Формат адреси має відповідати формату, що визначається RFC 2732:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "ldap[s]://<вузол>[:порт]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" "У явних адресах IPv6 <вузол> має бути вказано у квадратних дужках, []" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "приклад: ldap://[fc00::126:25]:389" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -5713,31 +5802,31 @@ msgstr "" "резервні ресурси та додаткові сервери." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" "Для того, щоб уможливити визначення служб, слід встановити значення " "параметра ldap_chpass_dns_service_name." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "Типове значення: порожнє, тобто використовується ldap_uri." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "ldap_search_base (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" "Типова базова назва домену, яку слід використовувати для виконання дій від " "імені користувача LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" @@ -5746,19 +5835,19 @@ msgstr "" "основ для пошуку за допомогою таких синтаксичних конструкцій:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "основа_пошуку[?діапазон?[фільтр][?основа_пошуку?діапазон?[фільтр]]*]" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" "Діапазоном може бути одне зі значень, «base» (основа), «onelevel» (окремий " "рівень) або «subtree» (піддерево)." #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" @@ -5766,14 +5855,14 @@ msgstr "" "Фільтром має бути коректний запис фільтрування LDAP, відповідно до " "специфікації http://www.ietf.org/rfc/rfc2254.txt" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "Приклади:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" @@ -5782,7 +5871,7 @@ msgstr "" "dc=example,dc=com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" @@ -5791,7 +5880,7 @@ msgstr "" "(host=thishost)?dc=example.com?subtree?" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -5804,7 +5893,7 @@ msgstr "" "непередбачуваних результатів на клієнтських комп’ютерах." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -5821,12 +5910,12 @@ msgstr "" "Підтримки визначення декількох значень не передбачено." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "ldap_schema (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -5837,32 +5926,32 @@ msgstr "" "можуть бути різними. Спосіб обробки атрибутів також може бути різним." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "У поточній версії передбачено підтримку чотирьох типів схем:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "rfc2307bis" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "IPA" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "AD" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -5880,38 +5969,38 @@ msgstr "" "Active Directory 2008r2." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "Типове значення: rfc2307" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "ldap_pwmodify_mode (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "Визначає дію, яку буде здійснено для зміни пароля користувача." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "У поточній версії передбачено два режими:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "exop — розширена дія зі зміни пароля (RFC 3062)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" "ldap_modify — безпосереднє внесення змін до userPassword (не рекомендуємо)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -5925,59 +6014,59 @@ msgstr "" "запису атрибута userPassword." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "Типове значення: exop" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "ldap_default_bind_dn (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" "Типова назва домену прив’язки, яку слід використовувати для виконання дій " "LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "ldap_default_authtok_type (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "Тип розпізнавання для типової назви сервера прив’язки." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "У поточній версії передбачено підтримку двох механізмів:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "obfuscated_password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "Типове значення: password" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "ldap_default_authtok (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." @@ -5986,13503 +6075,13796 @@ msgstr "" "передбачено підтримку лише паролів у форматі звичайного тексту." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "ldap_user_object_class (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." -msgstr "Клас об’єктів запису користувача у LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" -msgstr "Типове значення: posixAccount" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" -msgstr "ldap_user_name (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "Атрибут LDAP, що відповідає назві облікового запису користувача." +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "Типове значення: uid (rfc2307, rfc2307bis і IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Деякі з серверів каталогів, наприклад Active Directory, можуть надавати " +"частину області адреси UPN лише малими літерами (літерами нижнього " +"регістру), що може призвести до невдалої спроби розпізнавання. Встановіть " +"ненульове значення цього параметра, якщо ви бажаєте використовувати назву " +"області у верхньому регістрі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" -msgstr "ldap_user_uid_number (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." -msgstr "Атрибут LDAP, що відповідає ідентифікатору користувача." +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" -msgstr "Типове значення: uidNumber" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Визначає кількість секунд, протягом яких SSSD має очікувати до оновлення " +"свого кешу нумерованих записів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "ldap_user_gid_number (рядок)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." -msgstr "Атрибут LDAP, що відповідає ідентифікатору основної групи користувача." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Визначає частоту пошуків у кеші неактивних записів (зокрема груп без " +"учасників та користувачів, які ніколи не входили до системи) та вилучення " +"цих записів з метою економії місця." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "Типове значення: gidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" +"Встановлення нульового значення цього параметра вимикає дію з очищення кешу. " +"Будь ласка, зауважте, що якщо увімкнено нумерацію, дія з очищення є " +"необхідною з метою виявлення записів, вилучених із сервера, її не можна " +"вимикати. Типово, дія з очищення, якщо увімкнено нумерацію, виконується " +"кожні 3 години." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" -msgstr "ldap_user_primary_group (рядок)" +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:352 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" -"Атрибут основної групи Active Directory для встановлення відповідності " -"ідентифікатора. Зауважте, що цей атрибут слід встановлювати вручну, лише " -"якщо ви користуєтеся засобом надання даних <quote>ldap</quote> з прив'язкою " -"до ідентифікаторів." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" -msgstr "Типове значення: unset (LDAP), primaryGroupID (AD)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" -msgstr "ldap_user_gecos (рядок)" +"Якщо ldap_schema встановлено у значення формату схеми, у якому передбачено " +"підтримку вкладеності груп (наприклад RFC2307bis), цей параметр визначає " +"кількість рівнів вкладеності, які оброблятимуться SSSD. Значення цього " +"параметра буде проігноровано, якщо використано схему RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." -msgstr "Атрибут LDAP, що відповідає полю gecos користувача." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" -msgstr "Типове значення: gecos" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" -msgstr "ldap_user_home_directory (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." -msgstr "Атрибут LDAP, що містить назву домашнього каталогу користувача." +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" +"Зауваження: за допомогою цього параметра визначається гарантований рівень " +"вкладеності груп для обробки під час будь-якого пошуку. Втім, <emphasis>може " +"бути</emphasis> повернуто і групи із більшим рівнем вкладеності, якщо під " +"час попередніх пошуків відбувалася обробка вищих рівнів вкладеності. Крім " +"того, послідовні пошуки інших груп можуть розширити набір результатів " +"початкового пошуку, якщо запити щодо пошуку надходять повторно." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" +"Якщо значенням ldap_group_nesting_level є 0, вкладені групи взагалі не " +"оброблятимуться. Втім, якщо з’єднання встановлено з Active-Directory Server " +"2008 та новішими версіями з використанням <quote>id_provider=ad</quote>, " +"слід також вимкнути використання груп реєстраційних записів (Token-Groups) " +"встановленням для параметра ldap_use_tokengroups значення false з метою " +"обмеження вкладеності у групах." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" -msgstr "ldap_user_shell (рядок)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" +msgstr "Типове значення: 2" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" -"Атрибут LDAP, що містить шлях до типової командної оболонки користувача." +"За допомогою цього параметра можна увімкнути або вимкнути використання " +"атрибута Token-Groups під час виконання initgroup для користувачів Active " +"Directory Server 2008 та новіших версій." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" -msgstr "Типове значення: loginShell" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." +msgstr "Типове значення: True для AD і IPA, інакше False." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" -msgstr "ldap_user_uuid (рядок)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" +msgstr "ldap_host_search_base (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." -msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта користувача LDAP." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку об’єктів вузлів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -"Типове значення: не встановлено у загальному випадку, objectGUID для AD і " -"ipaUniqueID для IPA" +"Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про " +"налаштування декількох основ пошуку." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Типове значення: значення <emphasis>ldap_search_base</emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" -msgstr "ldap_user_objectsid (рядок)" +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:424 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" -"Атрибут LDAP, що містить objectSID об’єкта користувача LDAP. Зазвичай, " -"потрібен лише для серверів ActiveDirectory." +"Визначає час очікування на дані (у секундах) для виконання пошуків ldap, " +"перш ніж пошук буде скасовано з поверненням кешованих даних (і переходом до " +"автономного режиму роботи)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +#: sssd-ldap.5.xml:430 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" -"Типове значення: objectSid для ActiveDirectory, не встановлено для інших " -"серверів." +"Зауваження: роботу цього параметра буде змінено у наступних версіях SSSD. " +"Ймовірно, його буде колись замінено на послідовність часів очікування для " +"окремих типів пошуків." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" -msgstr "ldap_user_modify_timestamp (рядок)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" -"Атрибут LDAP, що містить часову позначку останньої зміни батьківського " -"об’єкта." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" -msgstr "Типове значення: modifyTimestamp" +"Визначає час очікування на дані (у секундах) для виконання пошуків номерів " +"користувачів та груп у ldap, перш ніж пошук буде скасовано з поверненням " +"кешованих даних (і переходом до автономного режиму роботи)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" -msgstr "ldap_user_shadow_last_change (рядок)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:461 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" -"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " -"атрибута LDAP, який є відповідником параметра <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (дати останньої зміни пароля)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" -msgstr "Типове значення: shadowLastChange" +"Визначає час очікування (у секундах), після завершення якого <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> з наступним <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> повертається до стану бездіяльності." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" -msgstr "ldap_user_shadow_min (рядок)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." -msgstr "" -"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " -"атрибута LDAP, який є відповідником параметра <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (мінімального віку пароля)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" -msgstr "Типове значення: shadowMin" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" +"Визначає час очікування (у секундах), після завершення якого виклики до " +"синхронних програмних інтерфейсів LDAP буде перервано, якщо не буде отримано " +"відповіді. Також керує часом очікування під час обміну даними з KDC у " +"випадку прив’язки SASL, часом очікування на дію з прив’язування LDAP, " +"розширеної операції зі зміни пароля та дії StartTLS." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" -msgstr "ldap_user_shadow_max (рядок)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (ціле значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" -"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " -"атрибута LDAP, який є відповідником параметра <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (максимального віку пароля)." +"Визначає час очікування (у секундах), протягом якого підтримуватиметься " +"з’єднання з сервером LDAP. По завершенню цього часу буде зроблено спробу " +"повторно встановити з’єднання. У разі використання паралельно до SASL/GSSAPI " +"буде використано перше за часом значення (це значення або значення строку " +"дії TGT)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" -msgstr "Типове значення: shadowMax" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" +msgstr "Типове значення: 900 (15 хвилин)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" -msgstr "ldap_user_shadow_warning (рядок)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " -"атрибута LDAP, який є відповідником параметра <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (проміжку попередження щодо пароля)." +"Визначити кількість записів, які слід отримати з LDAP у відповідь на один " +"запит. На деяких серверах LDAP визначено обмеження максимальної кількості на " +"один запит." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "Типове значення: shadowWarning" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" +msgstr "Типове значення: 1000" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" -msgstr "ldap_user_shadow_inactive (рядок)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" -"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " -"атрибута LDAP, який є відповідником параметра <citerefentry> " -"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> (тривалості періоду невикористання пароля)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" -msgstr "Типове значення: shadowInactive" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" -msgstr "ldap_user_shadow_expire (рядок)" +"Вимикає контроль сторінок LDAP. Цим параметром слід скористатися, якщо " +"сервер LDAP повідомляє про підтримку контролю сторінок LDAP у своєму " +"RootDSE, але цю підтримку не увімкнено або вона не працює належним чином." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" -"У разі використання ldap_pwd_policy=shadow або " -"ldap_account_expire_policy=shadow цей параметр містить назву атрибута LDAP, " -"який є відповідником параметра <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> (дати завершення " -"строку дії пароля)." +"Приклад: сервери OpenLDAP з модулем контролю сторінок, встановленим на " +"сервері, але не увімкненим, повідомляють про підтримку у RootDSE, але цією " +"підтримкою не можна скористатися." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" -msgstr "Типове значення: shadowExpire" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Приклад: 389 DS має ваду, пов’язану з тим, що здатен підтримувати лише один " +"процес контролю сторінок для одного з’єднання. У разі значного навантаження " +"це може призвести до відмови у виконанні запитів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" -msgstr "ldap_user_krb_last_pwd_change (рядок)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 -msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." -msgstr "" -"Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить " -"назву атрибута LDAP, у якому зберігається дата і час останньої зміни пароля " -"у kerberos." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." +msgstr "Вимкнути отримання діапазону Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" -msgstr "Типове значення: krbLastPwdChange" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"У Active Directory за допомогою правила MaxValRange (типове значення 1500 " +"записів) обмежується кількість записів, які може бути отримано під час " +"пошуку. Якщо у певній групі міститься більше записів учасників, до відповіді " +"буде включено специфічне для AD розширення діапазону. За допомогою цього " +"параметра можна вимкнути обробку розширення діапазону, отже великі групи " +"буде представлено як такі, у яких немає учасників." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" -msgstr "ldap_user_krb_password_expiration (рядок)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (ціле значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" -"Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить " -"назву атрибута LDAP, у якому зберігається дата і час завершення строку дії " -"поточного пароля." +"Під час обміну даними з сервером LDAP за допомогою SASL визначає мінімальний " +"рівень захисту, потрібний для встановлення з’єднання. Значення цього " +"параметра визначається OpenLDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "Типове значення: krbPasswordExpiration" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Типове значення: типове для системи значення (зазвичай, визначається у ldap." +"conf)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" -msgstr "ldap_user_ad_account_expires (рядок)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" -"Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву " -"атрибута LDAP, у якому зберігаються дані щодо строку завершення дії " -"облікового запису." +"Вказує кількість учасників групи, записів яких має не вистачати у " +"зовнішньому кеші для запуску загального пошуку з розіменуванням. Якщо " +"пропущених записів буде менше за вказану кількість, пошук для них " +"виконуватиметься окремо." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" -msgstr "Типове значення: accountExpires" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" -msgstr "ldap_user_ad_user_account_control (рядок)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." +msgstr "" +"Ви можете повністю вимкнути запити щодо розіменувань встановленням значення " +"0. Будь ласка, зауважте, що у коді SSSD, зокрема засобу надання даних HBAC " +"IPA, є інструкції, які реалізовано лише з використанням викликів щодо " +"розіменування, тому навіть явне вимикання розіменувань не призведе до " +"вимикання розіменувань у цих частинах коду, якщо на сервері передбачено " +"підтримку розіменувань і оголошено про керування розіменуваннями у об'єкті " +"rootDSE." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" -"Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву " -"атрибута LDAP, у якому зберігаються дані щодо поля контрольного біта " -"облікового запису користувача." +"Пошук з розіменуванням — це отримання всіх записів учасників групи за одним " +"викликом LDAP. У різних серверах LDAP може бути передбачено різні способи " +"розіменування. У поточній версії передбачено підтримку серверів 389/RHDS, " +"OpenLDAP та Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "Типове значення: userAccountControl" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Зауваження:</emphasis> якщо у одній з основ пошуку визначається " +"фільтр пошуку, покращення швидкодії фільтрів розіменування буде вимкнено, " +"незалежно від використання цього параметра." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" -msgstr "ldap_ns_account_lock (рядок)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" -"Якщо вказано ldap_account_expire_policy=rhds або еквівалентне налаштування, " -"цей параметр визначає, заборонено чи дозволено доступ." +"Визначає перелік перевірок, які слід виконати для сертифікатів серверів у " +"сеансі TLS, якщо такі перевірки слід виконувати. Може бути визначено одне з " +"таких значень:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "Типове значення: nsAccountLock" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" -msgstr "ldap_user_nds_login_disabled (рядок)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = клієнт не надсилатиме запиту і не перевірятиме " +"жодних сертифікатів сервера." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" -"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає, дозволено " -"чи заборонено доступ." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "Типове значення: loginDisabled" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" -msgstr "ldap_user_nds_login_expiration_time (рядок)" +"<emphasis>allow</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " +"сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде " +"надано помилковий сертифікат, ігнорувати і продовжити сеанс у звичайному " +"режимі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 +#: sssd-ldap.5.xml:658 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" -"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає дату, до " -"якої надано доступ." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" -msgstr "ldap_user_nds_login_allowed_time_map (рядок)" +"<emphasis>try</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " +"сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде " +"надано помилковий сертифікат, негайно перервати сеанс." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" -"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає годити дня " -"тижня, коли надається доступ." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" -msgstr "Типове значення: loginAllowedTimeMap" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" -msgstr "ldap_user_principal (рядок)" +"<emphasis>demand</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " +"сертифікат не буде надано або буде надано помилковий сертифікат, негайно " +"перервати сеанс." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 -msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" -"Атрибут LDAP, що містить Kerberos User Principal Name (UPN) користувача." +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = те саме, що і <quote>demand</quote>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" -msgstr "Типове значення: krbPrincipalName" +#: sssd-ldap.5.xml:674 +msgid "Default: hard" +msgstr "Типове значення: hard" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" -msgstr "ldap_user_extra_attrs (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." -msgstr "" -"Відокремлений комами список атрибутів LDAP, які SSSD має отримувати разом зі " -"звичайним набором атрибутів запису користувача." +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:683 msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" -"Список може або містити лише назви атрибутів LDAP, або відокремлені " -"двокрапками кортежі з назви атрибута кешу SSSD та назви атрибута LDAP. Якщо " -"вказано лише назву атрибута LDAP, атрибут зберігається до кешу буквально. " -"Використання нетипової назви атрибута SSSD може бути потрібним середовищам, " -"де налаштовано декілька доменів SSSD з різними схемами LDAP." +"Визначає файл, який містить сертифікати для всіх служб сертифікації, які " +"розпізнаються <command>sssd</command>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" -"Будь ласка, зауважте, що декілька назв атрибутів зарезервовано SSSD, зокрема " -"атрибут «name». SSSD повідомить про помилку, якщо будь-які із зарезервованих " -"назв атрибутів використано як назву додаткового атрибута." +"Типове значення: використовувати типові параметри OpenLDAP, що зберігаються " +"у <filename>/etc/openldap/ldap.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" -msgstr "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:698 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" -"Зберегти атрибут «telephoneNumber» з LDAP як «telephoneNumber» до кешу." +"Визначає шлях до каталогу, де у окремих файлах містяться сертифікати служб " +"сертифікації (CA). Типовими назвами файлів є хеші сертифікатів з додаванням " +"«.0». Для створення відповідних назв можна скористатися " +"<command>cacertdir_rehash</command>, якщо ця програма є доступною." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" -msgstr "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 -msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." -msgstr "Зберегти атрибут «telephoneNumber» з LDAP як «phone» до кешу." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "Визначає файл, який містить сертифікат для ключа клієнта." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" -msgstr "ldap_user_ssh_public_key (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." -msgstr "Атрибут LDAP, який містить відкриті ключі SSH користувача." +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" -msgstr "Типове значення: sshPublicKey" +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." +msgstr "Визначає файл, у якому міститься ключ клієнта." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" -msgstr "ldap_force_upper_case_realm (булеве значення)" +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:741 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -"Деякі з серверів каталогів, наприклад Active Directory, можуть надавати " -"частину області адреси UPN лише малими літерами (літерами нижнього " -"регістру), що може призвести до невдалої спроби розпізнавання. Встановіть " -"ненульове значення цього параметра, якщо ви бажаєте використовувати назву " -"області у верхньому регістрі." +"Визначає прийнятні комплекти програм для шифрування. Записи у типовому " +"списку слід відокремлювати комами. З форматом можна ознайомитися на сторінці " +"довідника до <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" -msgstr "ldap_enumeration_refresh_timeout (ціле число)" +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 +#: sssd-ldap.5.xml:757 msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" -"Визначає кількість секунд, протягом яких SSSD має очікувати до оновлення " -"свого кешу нумерованих записів." +"Визначає, що з’єднання id_provider має також використовувати <systemitem " +"class=\"protocol\">tls</systemitem> для захисту каналу." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" -msgstr "ldap_purge_cache_timeout (ціле число)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:770 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" -"Визначає частоту пошуків у кеші неактивних записів (зокрема груп без " -"учасників та користувачів, які ніколи не входили до системи) та вилучення " -"цих записів з метою економії місця." +"Визначає, що SSSD має намагатися встановити відповідність ідентифікаторів " +"користувача і групи на основі атрибутів ldap_user_objectsid та " +"ldap_group_objectsid, замість атрибутів ldap_user_uid_number та " +"ldap_group_gid_number." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 -msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" -"Встановлення нульового значення цього параметра вимикає дію з очищення кешу. " -"Будь ласка, зауважте, що якщо увімкнено нумерацію, дія з очищення є " -"необхідною з метою виявлення записів, вилучених із сервера, її не можна " -"вимикати. Типово, дія з очищення, якщо увімкнено нумерацію, виконується " -"кожні 3 години." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" -msgstr "ldap_user_fullname (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." -msgstr "Атрибут LDAP, що відповідає повному імені користувача." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" -msgstr "Типове значення: cn" +"У поточній версії у цій можливості передбачено підтримку лише встановлення " +"відповідності objectSID у ActiveDirectory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" -msgstr "ldap_user_member_of (рядок)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "ldap_min_id, ldap_max_id (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." -msgstr "Атрибут LDAP зі списком груп, у яких бере участь користувач." +#: sssd-ldap.5.xml:789 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"На відміну від прив’язування ідентифікаторів на основі SID, яке " +"використовується, якщо параметр ldap_id_mapping має значення true, діапазон " +"дозволених ідентифікаторів для ldap_user_uid_number і ldap_group_gid_number " +"є необмеженим. У конфігураціях з піддоменами та довіреними доменами це може " +"призвести до конфліктів ідентифікаторів. Щоб уникнути конфліктів, можна " +"встановити значення ldap_min_id і ldap_max_id для обмеження дозволеного " +"діапазону ідентифікаторів, які буде прочитано безпосередньо з сервера. Після " +"цього піддомени можуть вибирати інші діапазони для прив’язування " +"ідентифікаторів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" -msgstr "Типове значення: memberOf" +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" +msgstr "" +"Типове значення: не встановлено (обидва параметри встановлено у значення 0)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" -msgstr "ldap_user_authorized_service (рядок)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:810 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" -"Якщо access_provider=ldap і ldap_access_order=authorized_service, SSSD " -"використовуватиме наявність атрибута authorizedService у записі користувача " -"LDAP для визначення прав доступу." - +"Визначає механізм SASL, який слід використовувати. У поточній версії " +"перевірено і передбачено підтримку лише механізмів GSSAPI та GSS-SPNEGO." + #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 +#: sssd-ldap.5.xml:814 msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"Спочатку визначаються явні заборони (!svc). Далі SSSD шукає явні дозволи " -"(svc) і нарешті загальні дозволи або allow_all (*)." +"Якщо у модулі обробки передбачено підтримку піддоменів, значення для " +"піддоменів ldap_sasl_mech буде автоматично успадковано від домену. Якщо для " +"якогось піддомену потрібне інше значення, його можна перезаписати " +"встановленням ldap_sasl_mech для цього піддомену окремо. Докладніший опис " +"можна знайти у розділі щодо довірених доменів у підручнику з " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" -"Будь ласка, зауважте, що параметр налаштування ldap_access_order " -"<emphasis>має</emphasis> включати <quote>authorized_service</quote>, щоб " -"система змогла скористатися параметром ldap_user_authorized_service." +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 +#: sssd-ldap.5.xml:833 msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" +"Визначає ідентифікатор уповноваження SASL, яким слід скористатися. Якщо " +"використовується GSSAPI/GSS-SPNEGO, цим ідентифікатором є реєстраційні дані " +"Kerberos, які використовуються для розпізнавання при доступі до каталогу. " +"Цей параметр може містити або повні реєстраційні дані (наприклад host/" +"myhost@EXAMPLE.COM) або просто назву реєстраційного запису (наприклад host/" +"myhost). Типово, значення не встановлено і використовуються такі " +"реєстраційні записи: <placeholder type=\"programlisting\" id=\"0\"/> Якщо " +"жоден з них не буде знайдено, буде повернуто перший реєстраційний запис у " +"таблиці ключів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" -msgstr "Типове значення: authorizedService" +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" +msgstr "Типове значення: вузол/назва_вузла@ОБЛАСТЬ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" -msgstr "ldap_user_authorized_host (рядок)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:862 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" -"Якщо access_provider=ldap і ldap_access_order=host, SSSD використовуватиме " -"наявність атрибута host у записі користувача LDAP для визначення прав " -"доступу." +"Визначає область SASL, яку слід використовувати. Якщо не вказано значення, " +"типовим значенням цього параметра є значення krb5_realm. Якщо " +"ldap_sasl_authid також містить запис області, цей параметр буде " +"проігноровано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." -msgstr "" -"Спочатку визначаються явні заборони (!host). Далі SSSD шукає явні дозволи " -"(host) і нарешті загальні дозволи або allow_all (*)." +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." +msgstr "Типове значення: значення krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:877 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" -"Будь ласка, зауважте, що параметр налаштування ldap_access_order " -"<emphasis>має</emphasis> включати <quote>host</quote>, щоб можна було " -"скористатися параметром ldap_user_authorized_host." +"Якщо встановлено значення true (1), бібліотека LDAP виконувати зворотній " +"пошук з метою переведення назв вузлів у канонічну форму під час прив’язки до " +"SASL." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" -msgstr "Типове значення: host" +#: sssd-ldap.5.xml:882 +msgid "Default: false;" +msgstr "Типове значення: false;" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" -msgstr "ldap_user_authorized_rhost (рядок)" +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 -msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" -"Якщо access_provider=ldap і ldap_access_order=rhost, SSSD використовуватиме " -"наявність атрибута rhost у записі користувача LDAP для визначення прав " -"доступу. Те саме стосується і процесу перевірки вузла." +"Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI/GSS-" +"SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 -msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" -"Спочатку визначаються явні заборони (!rhost). Далі SSSD шукає явні дозволи " -"(rhost) і нарешті загальні дозволи або allow_all (*)." +"Типове значення: системна таблиця ключів, зазвичай <filename>/etc/krb5." +"keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:904 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -"Будь ласка, зауважте, що параметр налаштування ldap_access_order " -"<emphasis>має</emphasis> включати <quote>rhost</quote>, щоб можна було " -"скористатися параметром ldap_user_authorized_rhost." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" -msgstr "Типове значення: rhost" +"Визначає, що id_provider має ініціалізувати реєстраційні дані Kerberos " +"(TGT). Цю дію буде виконано, лише якщо використовується SASL і вибрано " +"механізм GSSAPI або GSS-SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" -msgstr "ldap_user_certificate (рядок)" +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." -msgstr "Назва атрибута LDAP, що містить сертифікат X509 користувача." +#: sssd-ldap.5.xml:919 +msgid "" +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +msgstr "" +"Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI або GSS-" +"SPNEGO." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" -msgstr "Типове значення: userCertificate;binary" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" +msgstr "Типове значення: 86400 (24 години)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" -msgstr "ldap_user_email (рядок)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:932 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"Назва атрибута LDAP, який містить адресу електронної пошти користувача." +"Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів " +"Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути " +"впорядковано за пріоритетом. Докладніше про резервування та додаткові " +"сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може " +"бути додано номер порту (перед номером слід вписати двокрапку). Якщо " +"параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше " +"про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" -"Зауваження: якщо адреса електронної пошти користувача конфліктує із адресою " -"електронної пошти або повним ім'ям іншого користувача, SSSD не зможе " -"обслуговувати належним чином записи таких користувачів. Якщо з якоїсь " -"причини у декількох користувачів має бути одна адреса електронної пошти, " -"встановіть для цього параметра довільну назву атрибута, щоб вимкнути пошук і " -"вхід до системи за адресою електронної пошти." +"Під час використання виявлення служб для серверів KDC або kpasswd SSSD " +"спочатку намагається знайти записи DNS, у яких визначається протокол _udp. " +"Використання протоколу _tcp відбувається, лише якщо таких записів не " +"вдасться знайти." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" -msgstr "Типове значення: mail" +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"У попередніх випусках SSSD цей параметр мав назву «krb5_kdcip». У поточній " +"версії передбачено розпізнавання цієї застарілої назви, але користувачам " +"варто перейти на використання «krb5_server» у файлах налаштувань." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" -msgstr "ldap_group_object_class (рядок)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." -msgstr "Клас об’єктів запису групи у LDAP." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +msgstr "" +"Вказати область Kerberos (для розпізнавання за SASL/GSSAPI/GSS-SPNEGO)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "Типове значення: posixGroup" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Типове значення: типове значення системи, див. <filename>/etc/krb5.conf</" +"filename>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" -msgstr "ldap_group_name (рядок)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." -msgstr "Атрибут LDAP, що відповідає назві групи." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "Типове значення: cn (rfc2307, rfc2307bis і IPA), sAMAccountName (AD)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" -msgstr "ldap_group_gid_number (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." -msgstr "Атрибут LDAP, що відповідає ідентифікатору групи." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" -msgstr "ldap_group_member (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." -msgstr "Атрибут LDAP, у якому містяться імена учасників групи." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "Типове значення: memberuid (rfc2307) / member (rfc2307bis)" +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"Визначає, чи слід перетворювати реєстраційний запис вузла у канонічну форму " +"під час встановлення з’єднання з сервером LDAP. Цю можливість передбачено з " +"версії MIT Kerberos >= 1.7" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" -msgstr "ldap_group_uuid (рядок)" +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." -msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта групи LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" -msgstr "ldap_group_objectsid (рядок)" +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" +"Визначає, чи слід SSSD вказувати бібліотекам Kerberos, яку область і які " +"значення KDC слід використовувати. Типово, дію параметра увімкнено. Якщо ви " +"вимкнете його, вам слід налаштувати бібліотеку Kerberos за допомогою файла " +"налаштувань <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" -"Атрибут LDAP, що містить objectSID об’єкта групи LDAP. Зазвичай, потрібен " -"лише для серверів ActiveDirectory." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" -msgstr "ldap_group_modify_timestamp (рядок)" +"Див. сторінку підручника (man) <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" -msgstr "ldap_group_type (ціле число)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1017 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" -"Атрибут LDAP, що містить ціле значення і позначає тип групи, а також, " -"можливо, інші прапорці." +"Визначає правил оцінки строку дії пароля на боці клієнта. Можна " +"використовувати такі значення:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 +#: sssd-ldap.5.xml:1022 msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" -"Цей атрибут у поточній версії використовується лише засобом надання даних AD " -"для визначення, чи є група локальною групою домену і чи має бути її " -"відфільтровано у списку надійних (довірених) доменів." +"<emphasis>none</emphasis> — не використовувати перевірки на боці клієнта. У " +"разі використання цього варіанта перевірку на боці сервера вимкнено не буде." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" -"Типове значення: groupType у засобі надання даних AD, у інших засобах не " -"встановлено" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" -msgstr "ldap_group_external_member (рядок)" +"<emphasis>shadow</emphasis> — використовувати атрибути у стилі " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> для визначення того, чи чинним є пароль." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1033 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" -"Атрибут LDAP, який посилається на записи учасників групи, які визначено у " -"зовнішньому домені. У поточній версії передбачено підтримку лише зовнішніх " -"записів учасників IPA." +"<emphasis>mit_kerberos</emphasis> — використовувати атрибути MIT Kerberos " +"для визначення завершення строку дії пароля. У разі зміни пароля " +"скористайтеся chpass_provider=krb5 для оновлення цих атрибутів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" -"Типове значення: ipaExternalMember у засобі надання даних IPA, у інших " -"засобах не визначено." +"<emphasis>Зауваження</emphasis>: якщо правила поводження з паролями " +"налаштовано на боці сервера, ці правила мають пріоритет над правилами, " +"встановленими за допомогою цього параметра." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" -msgstr "ldap_group_nesting_level (ціле число)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 -msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." -msgstr "" -"Якщо ldap_schema встановлено у значення формату схеми, у якому передбачено " -"підтримку вкладеності груп (наприклад RFC2307bis), цей параметр визначає " -"кількість рівнів вкладеності, які оброблятимуться SSSD. Значення цього " -"параметра буде проігноровано, якщо використано схему RFC2307." +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 -msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" -"Зауваження: за допомогою цього параметра визначається гарантований рівень " -"вкладеності груп для обробки під час будь-якого пошуку. Втім, <emphasis>може " -"бути</emphasis> повернуто і групи із більшим рівнем вкладеності, якщо під " -"час попередніх пошуків відбувалася обробка вищих рівнів вкладеності. Крім " -"того, послідовні пошуки інших груп можуть розширити набір результатів " -"початкового пошуку, якщо запити щодо пошуку надходять повторно." +"Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 +#: sssd-ldap.5.xml:1057 msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" -"Якщо значенням ldap_group_nesting_level є 0, вкладені групи взагалі не " -"оброблятимуться. Втім, якщо з’єднання встановлено з Active-Directory Server " -"2008 та новішими версіями з використанням <quote>id_provider=ad</quote>, " -"слід також вимкнути використання груп реєстраційних записів (Token-Groups) " -"встановленням для параметра ldap_use_tokengroups значення false з метою " -"обмеження вкладеності у групах." - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" -msgstr "Типове значення: 2" +"Зауважте, що sssd підтримує визначення напрямків, лише якщо систему зібрано " +"з версією OpenLDAP 2.4.13 або новішою версією." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1062 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" -"За допомогою цього параметра можна увімкнути або вимкнути використання " -"атрибута Token-Groups під час виконання initgroup для користувачів Active " -"Directory Server 2008 та новіших версій." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "Типове значення: True для AD і IPA, інакше False." +"Перехід за спрямуваннями може призвести до значних втрат швидкодії у " +"середовищах, де такі спрямування використовуються широко. Прикладом такого " +"середовища може бути Microsoft Active Directory. Якщо у вашому середовищі " +"спрямування не є обов’язковими, встановлення для цього параметра значення " +"«false» може значно пришвидшити роботу." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" -msgstr "ldap_netgroup_object_class (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." -msgstr "Клас об’єктів запису мережевої групи (netgroup) у LDAP." +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." -msgstr "У надавачі даних IPA має бути використано ipa_netgroup_object_class." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"Визначає назву служби, яку буде використано у разі вмикання визначення служб." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" -msgstr "Типове значення: nisNetgroup" +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" +msgstr "Типове значення: ldap" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" -msgstr "ldap_netgroup_name (рядок)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." -msgstr "Атрибут LDAP, що відповідає назві мережевої групи (netgroup)." +#: sssd-ldap.5.xml:1092 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Визначає назву служби, яку буде використано для пошуку сервера LDAP, який " +"уможливлює зміну паролів, у разі вмикання визначення служб." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." -msgstr "У надавачі даних IPA має бути використано ipa_netgroup_name." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" -msgstr "ldap_netgroup_member (рядок)" +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" -"Атрибут LDAP, у якому містяться імена учасників мережевої групи (netgroup)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." -msgstr "У надавачі даних IPA має бути використано ipa_netgroup_member." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" -msgstr "Типове значення: memberNisNetgroup" +"Визначає, чи слід оновлювати атрибут ldap_user_shadow_last_change даними " +"щодо кількості днів з часу виконання дії зі зміни пароля." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" -msgstr "ldap_netgroup_triple (рядок)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." -msgstr "" -"Атрибут LDAP, що містить трійки мережевої групи (вузол, користувач, домен)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." -msgstr "Цим параметром не можна скористатися у надавачі даних IPA." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" +"Якщо використовується access_provider = ldap та ldap_access_order = filter " +"(типова поведінка), цей параметр є обов’язковим. Він вказує критерії " +"фільтрування LDAP, яким має задовольняти запис користувача для надання " +"доступу до цього вузла. Якщо визначено access_provider = ldap та " +"ldap_access_order = filter, а цей параметр не встановлено, доступ буде " +"заборонено всім користувачам. Щоб змінити таку типову поведінку системи, " +"скористайтеся параметром access_provider = permit. Будь ласка, зауважте, що " +"цей фільтр застосовуватиметься лише до запису користувача LDAP, отже " +"фільтрування, засноване на вкладених групах може не працювати (наприклад, " +"атрибут memberOf для записів AD вказує лише на безпосередні батьківські " +"записи). Якщо вам потрібне фільтрування, засноване на вкладених групах, будь " +"ласка, скористайтеся параметром <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" -msgstr "Типове значення: nisNetgroupTriple" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" -msgstr "ldap_netgroup_modify_timestamp (рядок)" +#: sssd-ldap.5.xml:1141 +msgid "Example:" +msgstr "Приклад:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" -msgstr "ldap_host_object_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." -msgstr "Клас об’єктів запису вузла у LDAP." +#: sssd-ldap.5.xml:1148 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" +"У прикладі доступ до цього вузла обмежено користувачами, чий атрибут " +"employeeType встановлено у значення «admin»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" -msgstr "Типове значення: ipService" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" -msgstr "ldap_host_name (рядок)" +#: sssd-ldap.5.xml:1153 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" +"Автономне кешування для цієї можливості обмежено визначенням того, чи було " +"надано користувачеві під час попередньої спроби увійти до системи з мережі " +"права доступу. Якщо під час останньої спроби увійти такі права було надано, " +"система продовжуватиме надавати права доступу у автономному режимі. Якщо ж " +"таких прав не було надано, у автономному режимі їх також не буде надано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." -msgstr "Атрибут LDAP, що відповідає назві вузла." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" +msgstr "Типове значення: порожній рядок" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" -msgstr "ldap_host_fqdn (рядок)" +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 +#: sssd-ldap.5.xml:1170 msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." -msgstr "Атрибут LDAP, що відповідає повній назві вузла." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" -msgstr "Типове значення: fqdn" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" -msgstr "ldap_host_serverhostname (рядок)" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"За допомогою цього параметра може бути увімкнено визначення атрибутів " +"керування доступом на боці клієнта." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" -msgstr "Типове значення: serverHostname" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" -msgstr "ldap_host_member_of (рядок)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Будь ласка, зауважте, що завжди варто використовувати керування доступом на " +"боці сервера, тобто сервер LDAP має відмовляти у запитах щодо прив’язування " +"з відповідним кодом помилки, навіть якщо вказано правильний пароль." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." -msgstr "Атрибут LDAP зі списком груп, у яких бере участь вузол." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "ldap_host_search_base (рядок)" +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" +msgstr "Можна використовувати такі значення:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку об’єктів вузлів." +"<emphasis>shadow</emphasis>: це значення ldap_user_shadow_expire допомагає " +"визначити, чи завершено строк дії облікового запису." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1189 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -"Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про " -"налаштування декількох основ пошуку." - -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" -msgstr "Типове значення: значення <emphasis>ldap_search_base</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" -msgstr "ldap_host_ssh_public_key (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." -msgstr "Атрибут LDAP, який містить відкриті ключі SSH вузла." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" -msgstr "ldap_host_uuid (рядок)" +"<emphasis>ad</emphasis>: скористатися значенням 32-бітового поля " +"ldap_user_ad_user_account_control і дозволити доступ, якщо другий біт має " +"нульове значення. Якщо атрибут не буде знайдено, доступ буде дозволено. " +"Також буде перевірено, чи не вичерпано строк дії облікового запису." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." -msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта вузла LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" -msgstr "ldap_service_object_class (рядок)" +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: використовувати для перевірки доступу значення " +"ldap_ns_account_lock." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." -msgstr "Клас об’єктів запису служби у LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" -msgstr "ldap_service_name (рядок)" +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: для перевірки доступу використовувати значення " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled і " +"ldap_user_nds_login_expiration_time. Якщо не буде виявлено жодного з цих " +"атрибутів, надати доступ." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1211 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" -"Атрибут LDAP, що містить назву атрибутів служби та замінників цих атрибутів." +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>expire</quote>, щоб можна було " +"користуватися параметром ldap_account_expire_policy." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" -msgstr "ldap_service_port (рядок)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." -msgstr "Атрибут LDAP, що містить номер порту, яким керує ця служба." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Список відокремлених комами параметрів керування доступом. Можливі значення " +"списку:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" -msgstr "Типове значення: ipServicePort" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" -msgstr "ldap_service_proto (рядок)" +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: використовувати ldap_access_filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#: sssd-ldap.5.xml:1234 msgid "" -"The LDAP attribute that contains the protocols understood by this service." -msgstr "Атрибут LDAP, що містить протоколи, за яким може працювати ця служба." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" -msgstr "Типове значення: ipServiceProtocol" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" -msgstr "ldap_service_search_base (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" -msgstr "ldap_search_timeout (ціле число)" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" +"<emphasis>lockout</emphasis>: використовувати блокування облікових записів. " +"Якщо встановлено, цей параметр забороняє доступ, якщо існує атрибут ldap " +"«pwdAccountLockedTime» і його значенням є «000001010000Z». Будь ласка, " +"ознайомтеся із документацією до параметра ldap_pwdlockout_dn. Зауважте, що " +"для працездатності цієї можливості слід встановити «access_provider = ldap»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1244 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" -"Визначає час очікування на дані (у секундах) для виконання пошуків ldap, " -"перш ніж пошук буде скасовано з поверненням кешованих даних (і переходом до " -"автономного режиму роботи)" +"<emphasis> Будь ласка, зауважте, що цей параметр має нижчий пріоритет за " +"параметр «ppolicy», його може бути вилучено у наступних випусках. </" +"emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1251 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" -"Зауваження: роботу цього параметра буде змінено у наступних версіях SSSD. " -"Ймовірно, його буде колись замінено на послідовність часів очікування для " -"окремих типів пошуків." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" -msgstr "ldap_enumeration_search_timeout (ціле число)" +"<emphasis>ppolicy</emphasis>: використовувати блокування облікових записів. " +"Якщо встановлено, забороняє доступ у випадку наявності атрибута ldap " +"«pwdAccountLockedTime» рівного «000001010000Z» або такого, що відповідає " +"моменту часу у минулому. Значення атрибута «pwdAccountLockedTime» має " +"завершуватися на «Z», що позначає часовий пояс UTC. Підтримки інших часових " +"поясів у поточній версії не передбачено, їхнє використання призводитиме до " +"появи повідомлення про заборону доступу, коли користувачі намагатимуться " +"увійти до системи. Докладніший опис можна знайти у розділі щодо параметра " +"ldap_pwdlockout_dn. Будь ласка, зауважте, що для працездатності цього " +"параметра слід встановити значення «access_provider = ldap»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 -msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" -"Визначає час очікування на дані (у секундах) для виконання пошуків номерів " -"користувачів та груп у ldap, перш ніж пошук буде скасовано з поверненням " -"кешованих даних (і переходом до автономного режиму роботи)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" -msgstr "ldap_network_timeout (ціле число)" +"<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1272 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -"Визначає час очікування (у секундах), після завершення якого <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> з наступним <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> повертається до стану бездіяльності." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" -msgstr "ldap_opt_timeout (ціле число)" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> Ці параметри корисні, якщо користувачам " +"потрібні попередження щодо скорого завершення строку дії пароля, і у " +"випадках, коли розпізнавання засновано на відмінних від паролів методах, " +"наприклад на ключах SSH." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1282 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -"Визначає час очікування (у секундах), після завершення якого виклики до " -"синхронних програмних інтерфейсів LDAP буде перервано, якщо не буде отримано " -"відповіді. Також керує часом очікування під час обміну даними з KDC у " -"випадку прив’язки SASL, часом очікування на дію з прив’язування LDAP, " -"розширеної операції зі зміни пароля та дії StartTLS." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" -msgstr "ldap_connection_expire_timeout (ціле значення)" +"Відмінність між цими параметрами полягає у дії, яку буде виконано, якщо " +"строк дії пароля вичерпано: pwd_expire_policy_reject — користувачеві буде " +"заборонено вхід до системи, pwd_expire_policy_warn — користувач ще зможе " +"увійти до системи, pwd_expire_policy_renew — система попросить користувача " +"негайно змінити пароль." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1290 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" -"Визначає час очікування (у секундах), протягом якого підтримуватиметься " -"з’єднання з сервером LDAP. По завершенню цього часу буде зроблено спробу " -"повторно встановити з’єднання. У разі використання паралельно до SASL/GSSAPI " -"буде використано перше за часом значення (це значення або значення строку " -"дії TGT)." +"Зауважте, що якщо строк дії пароля вичерпано, запит із явним повідомленням " +"від SSSD не надходитиме." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "Типове значення: 900 (15 хвилин)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" -msgstr "ldap_page_size (ціле число)" +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" +"Будь ласка, зауважте, що для того, щоб цим можна було скористатися, слід " +"встановити «access_provider = ldap». Крім того, слід встановити для " +"параметра «ldap_pwd_policy» відповідні правила поводження із паролями." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1299 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -"Визначити кількість записів, які слід отримати з LDAP у відповідь на один " -"запит. На деяких серверах LDAP визначено обмеження максимальної кількості на " -"один запит." - -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" -msgstr "Типове значення: 1000" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" -msgstr "ldap_disable_paging (булеве значення)" +"<emphasis>authorized_service</emphasis>: використовувати для визначення " +"можливості доступу атрибут authorizedService" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 -msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" -"Вимикає контроль сторінок LDAP. Цим параметром слід скористатися, якщо " -"сервер LDAP повідомляє про підтримку контролю сторінок LDAP у своєму " -"RootDSE, але цю підтримку не увімкнено або вона не працює належним чином." +"<emphasis>host</emphasis>: за допомогою цього атрибута вузла можна визначити " +"права доступу" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1308 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -"Приклад: сервери OpenLDAP з модулем контролю сторінок, встановленим на " -"сервері, але не увімкненим, повідомляють про підтримку у RootDSE, але цією " -"підтримкою не можна скористатися." +"<emphasis>rhost</emphasis>: використовувати атрибут rhost для визначення " +"того, чи матиме віддалений вузол доступ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1312 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" -"Приклад: 389 DS має ваду, пов’язану з тим, що здатен підтримувати лише один " -"процес контролю сторінок для одного з’єднання. У разі значного навантаження " -"це може призвести до відмови у виконанні запитів." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" -msgstr "ldap_disable_range_retrieval (булеве значення)" +"Будь ласка, зауважте, що значення поля rhost у pam встановлюється програмою. " +"Варто перевірити, що програма надсилає pam, перш ніж вмикати цей варіант " +"керування доступом." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." -msgstr "Вимкнути отримання діапазону Active Directory." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" +msgstr "Типове значення: filter" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#: sssd-ldap.5.xml:1320 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" -"У Active Directory за допомогою правила MaxValRange (типове значення 1500 " -"записів) обмежується кількість записів, які може бути отримано під час " -"пошуку. Якщо у певній групі міститься більше записів учасників, до відповіді " -"буде включено специфічне для AD розширення діапазону. За допомогою цього " -"параметра можна вимкнути обробку розширення діапазону, отже великі групи " -"буде представлено як такі, у яких немає учасників." +"Зауважте, що програма повідомить про помилку, якщо одне значення було " +"використано декілька разів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" -msgstr "ldap_sasl_minssf (ціле значення)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 +#: sssd-ldap.5.xml:1330 msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -"Під час обміну даними з сервером LDAP за допомогою SASL визначає мінімальний " -"рівень захисту, потрібний для встановлення з’єднання. Значення цього " -"параметра визначається OpenLDAP." +"За допомогою цього параметра визначається DN запису правил поводження із " +"паролями на сервері LDAP. Будь ласка, зауважте, що те, що цього параметра не " +"буде у sssd.conf, у випадку увімкненого блокування облікових записів " +"призведе до заборони доступу, оскільки атрибути ppolicy на сервері LDAP не " +"можна буде перевірити належним чином." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" -msgstr "" -"Типове значення: типове для системи значення (зазвичай, визначається у ldap." -"conf)" +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Приклад: cn=ppolicy,ou=policies,dc=example,dc=com" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "Типове значення: cn=ppolicy,ou=policies,$ldap_search_base" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" -msgstr "ldap_deref_threshold (ціле число)" +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" +msgstr "ldap_deref (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 +#: sssd-ldap.5.xml:1350 msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -"Вказує кількість учасників групи, записів яких має не вистачати у " -"зовнішньому кеші для запуску загального пошуку з розіменуванням. Якщо " -"пропущених записів буде менше за вказану кількість, пошук для них " -"виконуватиметься окремо." +"Визначає спосіб виконання розіменовування псевдонімів під час виконання " +"пошуку. Можливі такі варіанти:" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -"Ви можете повністю вимкнути запити щодо розіменувань встановленням значення " -"0. Будь ласка, зауважте, що у коді SSSD, зокрема засобу надання даних HBAC " -"IPA, є інструкції, які реалізовано лише з використанням викликів щодо " -"розіменування, тому навіть явне вимикання розіменувань не призведе до " -"вимикання розіменувань у цих частинах коду, якщо на сервері передбачено " -"підтримку розіменувань і оголошено про керування розіменуваннями у об'єкті " -"rootDSE." +"<emphasis>never</emphasis>: ніколи не виконувати розіменування псевдонімів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 +#: sssd-ldap.5.xml:1359 msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" -"Пошук з розіменуванням — це отримання всіх записів учасників групи за одним " -"викликом LDAP. У різних серверах LDAP може бути передбачено різні способи " -"розіменування. У поточній версії передбачено підтримку серверів 389/RHDS, " -"OpenLDAP та Active Directory." +"<emphasis>searching</emphasis>: розіменування псевдонімів відбувається у " +"межах основного об’єкта, а не на основі визначення місця основного об’єкта " +"пошуку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 +#: sssd-ldap.5.xml:1364 msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -"<emphasis>Зауваження:</emphasis> якщо у одній з основ пошуку визначається " -"фільтр пошуку, покращення швидкодії фільтрів розіменування буде вимкнено, " -"незалежно від використання цього параметра." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" -msgstr "ldap_tls_reqcert (рядок)" +"<emphasis>finding</emphasis>: розіменування псевдонімів відбувається лише " +"під час визначення місця основного об’єкта пошуку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 +#: sssd-ldap.5.xml:1369 msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" -"Визначає перелік перевірок, які слід виконати для сертифікатів серверів у " -"сеансі TLS, якщо такі перевірки слід виконувати. Може бути визначено одне з " -"таких значень:" +"<emphasis>always</emphasis>: розіменування псевдонімів відбувається як під " +"час пошуку, так і під час визначення місця основного об’єкта пошуку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 +#: sssd-ldap.5.xml:1374 msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" -"<emphasis>never</emphasis> = клієнт не надсилатиме запиту і не перевірятиме " -"жодних сертифікатів сервера." +"Типове значення: не встановлено (обробка бібліотеками LDAP клієнта за " +"сценарієм <emphasis>never</emphasis>)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#: sssd-ldap.5.xml:1385 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -"<emphasis>allow</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " -"сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде " -"надано помилковий сертифікат, ігнорувати і продовжити сеанс у звичайному " -"режимі." +"Надає змогу зберігати локальних користувачів як учасників групи LDAP для " +"серверів, у яких використовується схема RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 +#: sssd-ldap.5.xml:1389 msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" -"<emphasis>try</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " -"сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде " -"надано помилковий сертифікат, негайно перервати сеанс." +"У деяких середовищах, де використовується схема RFC2307, локальних " +"користувачів можна зробити учасниками груп LDAP додаванням імен цих " +"користувачів до атрибута memberUid. Узгодженість домену може бути " +"скомпрометовано, якщо буде виконано подібне додавання учасника, тому SSSD за " +"звичайних умов вилучає записи користувачів, яких «не вистачає», з кешованих " +"даних щодо участі у групах, щойно nsswitch спробує отримати дані щодо " +"користувачів за допомогою виклику getpw*() або initgroups()." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 +#: sssd-ldap.5.xml:1400 msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -"<emphasis>demand</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " -"сертифікат не буде надано або буде надано помилковий сертифікат, негайно " -"перервати сеанс." +"У разі використання цього параметра програма повертається до перевірки " +"посилань на локальних користувачів і кешує їх так, що наступні виклики " +"initgroups() розширюватимуть список локальних користувачів додатковими " +"групами LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" -msgstr "<emphasis>hard</emphasis> = те саме, що і <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "wildcard_limit (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" -msgstr "Типове значення: hard" +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" +"Визначає верхню межу для кількості записів, які отримуватимуться під час " +"пошуку з використанням символів-замінників." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" -msgstr "ldap_tls_cacert (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" +"У поточній версії пошук із використанням символів-замінників передбачено " +"лише для відповідача InfoPipe." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" +msgstr "Типове значення: 1000 (часто розмір однієї сторінки)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +#, fuzzy +#| msgid "" +#| "All of the common configuration options that apply to SSSD domains also " +#| "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +#| "<placeholder type=\"variablelist\" id=\"0\"/>" msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Визначає файл, який містить сертифікати для всіх служб сертифікації, які " -"розпізнаються <command>sssd</command>." +"Всі загальні параметри налаштування, які стосуються доменів SSSD, також " +"стосуються і доменів LDAP. Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки " +"підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися більше. " +"<placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" +msgstr "ПАРАМЕТРИ SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"Типове значення: використовувати типові параметри OpenLDAP, що зберігаються " -"у <filename>/etc/openldap/ldap.conf</filename>" +"Докладні настанов щодо налаштовування sudo_provider можна знайти на сторінці " +"довідника (man) <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" -msgstr "ldap_tls_cacertdir (рядок)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" -"Визначає шлях до каталогу, де у окремих файлах містяться сертифікати служб " -"сертифікації (CA). Типовими назвами файлів є хеші сертифікатів з додаванням " -"«.0». Для створення відповідних назв можна скористатися " -"<command>cacertdir_rehash</command>, якщо ця програма є доступною." +"Проміжок часу у секундах між послідовними повними оновленнями правил sudo " +"SSSD у автоматичному режимі. Під час таких оновлень буде отримано повний " +"набір правил, що зберігаються на сервері." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" -msgstr "ldap_tls_cert (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1454 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"Це значення має перевищувати значення " +"<emphasis>ldap_sudo_smart_refresh_interval </emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." -msgstr "Визначає файл, який містить сертифікат для ключа клієнта." +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" +msgstr "Типове значення: 21600 (6 годин)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" -msgstr "ldap_tls_key (рядок)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." -msgstr "Визначає файл, у якому міститься ключ клієнта." +#: sssd-ldap.5.xml:1468 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." +msgstr "" +"Проміжок часу у секундах між послідовними кмітливими оновленнями правил sudo " +"SSSD у автоматичному режимі. Під час таких оновлень буде отримано всі дані " +"правил, USN яких перевищує найбільше значення сервера USN, яке відоме SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" -msgstr "ldap_tls_cipher_suite (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" +"Якщо підтримки атрибутів USN на сервері не передбачено, буде використано " +"дані атрибута modifyTimestamp." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" -"Визначає прийнятні комплекти програм для шифрування. Записи у типовому " -"списку слід відокремлювати комами. З форматом можна ознайомитися на сторінці " -"довідника до <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>." +"<emphasis>Зауваження:</emphasis> набільше значення USN можна оновити у три " +"способи: 1) повним і кмітливим оновленням sudo (якщо виявлено оновлені " +"правила), 2) нумеруванням користувачів і груп (якщо виявлено увімкнені і " +"оновлені записи користувачів або груп) і 3) повторним з'єднанням із сервером " +"(типово, кожні 15 хвилин, див. <emphasis>ldap_connection_expire_timeout</" +"emphasis>)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" -msgstr "ldap_id_use_start_tls (булеве значення)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" -"Визначає, що з’єднання id_provider має також використовувати <systemitem " -"class=\"protocol\">tls</systemitem> для захисту каналу." +"Якщо визначено значення true, SSSD отримуватиме лише правила, що стосуються " +"цього комп’ютера (на основі адрес вузла або мережі у форматах IPv4 і IPv6 та " +"назв вузлів)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" -msgstr "ldap_id_mapping (булеве значення)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" -"Визначає, що SSSD має намагатися встановити відповідність ідентифікаторів " -"користувача і групи на основі атрибутів ldap_user_objectsid та " -"ldap_group_objectsid, замість атрибутів ldap_user_uid_number та " -"ldap_group_gid_number." +"Список назв вузлів або повних доменних назв, відокремлених пробілами, для " +"фільтрування списку правил." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" -"У поточній версії у цій можливості передбачено підтримку лише встановлення " -"відповідності objectSID у ActiveDirectory." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" -msgstr "ldap_min_id, ldap_max_id (ціле число)" +"Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити " +"назву вузла та повну назву комп’ютера у домені у автоматичному режимі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -"На відміну від прив’язування ідентифікаторів на основі SID, яке " -"використовується, якщо параметр ldap_id_mapping має значення true, діапазон " -"дозволених ідентифікаторів для ldap_user_uid_number і ldap_group_gid_number " -"є необмеженим. У конфігураціях з піддоменами та довіреними доменами це може " -"призвести до конфліктів ідентифікаторів. Щоб уникнути конфліктів, можна " -"встановити значення ldap_min_id і ldap_max_id для обмеження дозволеного " -"діапазону ідентифікаторів, які буде прочитано безпосередньо з сервера. Після " -"цього піддомени можуть вибирати інші діапазони для прив’язування " -"ідентифікаторів." +"Якщо для <emphasis>ldap_sudo_use_host_filter</emphasis> встановлено значення " +"<emphasis>false</emphasis>, цей параметр ні на що не впливатиме." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" -msgstr "" -"Типове значення: не встановлено (обидва параметри встановлено у значення 0)" +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" +msgstr "Типове значення: не вказано" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" -msgstr "ldap_sasl_mech (рядок)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#: sssd-ldap.5.xml:1536 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" -"Визначає механізм SASL, який слід використовувати. У поточній версії " -"перевірено і передбачено підтримку лише механізмів GSSAPI та GSS-SPNEGO." +"Список адрес вузлів або мереж у форматах IPv4 і IPv6 для фільтрування списку " +"правил." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 +#: sssd-ldap.5.xml:1541 msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." msgstr "" -"Якщо у модулі обробки передбачено підтримку піддоменів, значення для " -"піддоменів ldap_sasl_mech буде автоматично успадковано від домену. Якщо для " -"якогось піддомену потрібне інше значення, його можна перезаписати " -"встановленням ldap_sasl_mech для цього піддомену окремо. Докладніший опис " -"можна знайти у розділі щодо довірених доменів у підручнику з " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>." +"Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити " +"адресу у автоматичному режимі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" -msgstr "ldap_sasl_authid (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap -msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " -msgstr "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 +#: sssd-ldap.5.xml:1559 msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" -"Визначає ідентифікатор уповноваження SASL, яким слід скористатися. Якщо " -"використовується GSSAPI/GSS-SPNEGO, цим ідентифікатором є реєстраційні дані " -"Kerberos, які використовуються для розпізнавання при доступі до каталогу. " -"Цей параметр може містити або повні реєстраційні дані (наприклад host/" -"myhost@EXAMPLE.COM) або просто назву реєстраційного запису (наприклад host/" -"myhost). Типово, значення не встановлено і використовуються такі " -"реєстраційні записи: <placeholder type=\"programlisting\" id=\"0\"/> Якщо " -"жоден з них не буде знайдено, буде повернуто перший реєстраційний запис у " -"таблиці ключів." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" -msgstr "Типове значення: вузол/назва_вузла@ОБЛАСТЬ" +"Якщо вказано значення true, SSSD отримуватиме всі правила, що містять " +"мережеву групу (netgroup) у атрибуті sudoHost." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" -msgstr "ldap_sasl_realm (рядок)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#: sssd-ldap.5.xml:1577 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -"Визначає область SASL, яку слід використовувати. Якщо не вказано значення, " -"типовим значенням цього параметра є значення krb5_realm. Якщо " -"ldap_sasl_authid також містить запис області, цей параметр буде " -"проігноровано." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." -msgstr "Типове значення: значення krb5_realm." +"Якщо вказано значення true, SSSD отримуватиме всі правила, що містять шаблон " +"заміни у атрибуті sudoHost." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" -msgstr "ldap_sasl_canonicalize (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 +msgid "" +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" +msgstr "" +"Використання символів-замінників є дуже обчислювально вартісною операцією " +"для сервера LDAP!" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -"Якщо встановлено значення true (1), бібліотека LDAP виконувати зворотній " -"пошук з метою переведення назв вузлів у канонічну форму під час прив’язки до " -"SASL." +"На цій сторінці довідника наведено дані щодо відповідності назв атрибутів. " +"Докладний опис семантики атрибутів, пов’язаних з sudo, можна знайти у " +"довідці з <citerefentry> <refentrytitle>sudoers.ldap</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" -msgstr "Типове значення: false;" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" +msgstr "ПАРАМЕТРИ AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" +"Деякі типові значення параметрів, описаних нижче, залежать від бази даних " +"LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" -msgstr "ldap_krb5_keytab (рядок)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." -msgstr "" -"Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI/GSS-" -"SPNEGO." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." +msgstr "Назва основної карти автоматичного монтування у LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" -msgstr "" -"Типове значення: системна таблиця ключів, зазвичай <filename>/etc/krb5." -"keytab</filename>" +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" +msgstr "Типове значення: auto.master" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" +msgstr "ДОДАТКОВІ ПАРАМЕТРИ" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" -msgstr "ldap_krb5_init_creds (булеве значення)" +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 -msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." -msgstr "" -"Визначає, що id_provider має ініціалізувати реєстраційні дані Kerberos " -"(TGT). Цю дію буде виконано, лише якщо використовується SASL і вибрано " -"механізм GSSAPI або GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" -msgstr "ldap_krb5_ticket_lifetime (ціле число)" +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -"Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI або GSS-" -"SPNEGO." +"Якщо увімкнено параметр <quote>ldap_use_tokengroups</quote>, пошуки в Active " +"Directory не буде обмежено — він повертатиме усі дані щодо участі у групах, " +"навіть без прив'язки до GID. Рекомендуємо вимкнути цю можливість, якщо назви " +"груп показуються неправильно." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" -msgstr "Типове значення: 86400 (24 години)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" +msgstr "</note>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" -msgstr "krb5_server, krb5_backup_server (рядок)" +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 -msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." -msgstr "" -"Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів " -"Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути " -"впорядковано за пріоритетом. Докладніше про резервування та додаткові " -"сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може " -"бути додано номер порту (перед номером слід вписати двокрапку). Якщо " -"параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше " -"про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." -msgstr "" -"Під час використання виявлення служб для серверів KDC або kpasswd SSSD " -"спочатку намагається знайти записи DNS, у яких визначається протокол _udp. " -"Використання протоколу _tcp відбувається, лише якщо таких записів не " -"вдасться знайти." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -"У попередніх випусках SSSD цей параметр мав назву «krb5_kdcip». У поточній " -"версії передбачено розпізнавання цієї застарілої назви, але користувачам " -"варто перейти на використання «krb5_server» у файлах налаштувань." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" -msgstr "krb5_realm (рядок)" +"Підтримку цих параметрів передбачено доменами LDAP, але користуватися ними " +"слід обережно. Будь ласка, використовуйте їх у налаштуваннях, лише якщо вам " +"відомі наслідки ваших дій. <placeholder type=\"variablelist\" id=\"0\"/> " +"<placeholder type=\"variablelist\" id=\"1\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." -msgstr "" -"Вказати область Kerberos (для розпізнавання за SASL/GSSAPI/GSS-SPNEGO)." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "ПРИКЛАД" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -"Типове значення: типове значення системи, див. <filename>/etc/krb5.conf</" -"filename>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" -msgstr "krb5_canonicalize (булеве значення)" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином, а LDAP встановлено на один з доменів з розділу " +"<replaceable>[domains]</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Визначає, чи слід перетворювати реєстраційний запис вузла у канонічну форму " -"під час встановлення з’єднання з сервером LDAP. Цю можливість передбачено з " -"версії MIT Kerberos >= 1.7" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" -msgstr "krb5_use_kdcinfo (булеве значення)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -"Визначає, чи слід SSSD вказувати бібліотекам Kerberos, яку область і які " -"значення KDC слід використовувати. Типово, дію параметра увімкнено. Якщо ви " -"вимкнете його, вам слід налаштувати бібліотеку Kerberos за допомогою файла " -"налаштувань <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином і використано ldap_access_order=lockout." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -"Див. сторінку підручника (man) <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку." +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" -msgstr "ldap_pwd_policy (рядок)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "ЗАУВАЖЕННЯ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -"Визначає правил оцінки строку дії пароля на боці клієнта. Можна " -"використовувати такі значення:" +"Описи деяких з параметрів налаштування на цій сторінці підручника засновано " +"на даних сторінки підручника (man) <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> з пакунка OpenLDAP " +"2.4." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 -msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." -msgstr "" -"<emphasis>none</emphasis> — не використовувати перевірки на боці клієнта. У " -"разі використання цього варіанта перевірку на боці сервера вимкнено не буде." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 -msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." -msgstr "" -"<emphasis>shadow</emphasis> — використовувати атрибути у стилі " -"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> для визначення того, чи чинним є пароль." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "модуль PAM для SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -"<emphasis>mit_kerberos</emphasis> — використовувати атрибути MIT Kerberos " -"для визначення завершення строку дії пароля. У разі зміни пароля " -"скористайтеся chpass_provider=krb5 для оновлення цих атрибутів." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -"<emphasis>Зауваження</emphasis>: якщо правила поводження з паролями " -"налаштовано на боці сервера, ці правила мають пріоритет над правилами, " -"встановленими за допомогою цього параметра." +"<command>pam_sss.so</command> — інтерфейс PAM до System Security Services " +"daemon (SSSD). Помилки та результати роботи записуються за допомогою " +"<command>syslog(3)</command> до запису LOG_AUTHPRIV." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" -msgstr "ldap_referrals (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." -msgstr "" -"Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." +msgstr "Не показувати у журналі повідомлень для невідомих користувачів." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -"Зауважте, що sssd підтримує визначення напрямків, лише якщо систему зібрано " -"з версією OpenLDAP 2.4.13 або новішою версією." +"Якщо встановлено значення <option>forward_pass</option>, введений пароль " +"буде збережено у стосі паролів для використання іншими модулями PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." -msgstr "" -"Перехід за спрямуваннями може призвести до значних втрат швидкодії у " -"середовищах, де такі спрямування використовуються широко. Прикладом такого " -"середовища може бути Microsoft Active Directory. Якщо у вашому середовищі " -"спрямування не є обов’язковими, встановлення для цього параметра значення " -"«false» може значно пришвидшити роботу." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" -msgstr "ldap_dns_service_name (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -"Визначає назву служби, яку буде використано у разі вмикання визначення служб." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" -msgstr "Типове значення: ldap" +"Використання аргументу use_first_pass примушує модуль до використання пароля " +"з модулів попереднього рівня. Ніяких запитів до користувача не " +"надсилатиметься, — якщо пароль не буде виявлено або пароль виявиться " +"непридатним, доступ користувачеві буде заборонено." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" -msgstr "ldap_chpass_dns_service_name (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -"Визначає назву служби, яку буде використано для пошуку сервера LDAP, який " -"уможливлює зміну паролів, у разі вмикання визначення служб." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" -msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено" +"Визначає ситуацію, коли зміна пароля примушує модуль встановлювати новий " +"пароль на основі пароля, наданого попереднім модулем обробки паролів зі " +"стосу модулів." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" -msgstr "ldap_chpass_update_last_change (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -"Визначає, чи слід оновлювати атрибут ldap_user_shadow_last_change даними " -"щодо кількості днів з часу виконання дії зі зміни пароля." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" -msgstr "ldap_access_filter (рядок)" +"Якщо вказано, користувача запитуватимуть про пароль ще N разів, якщо перший " +"раз розпізнавання зазнає невдачі. Типовим значенням є 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -"Якщо використовується access_provider = ldap та ldap_access_order = filter " -"(типова поведінка), цей параметр є обов’язковим. Він вказує критерії " -"фільтрування LDAP, яким має задовольняти запис користувача для надання " -"доступу до цього вузла. Якщо визначено access_provider = ldap та " -"ldap_access_order = filter, а цей параметр не встановлено, доступ буде " -"заборонено всім користувачам. Щоб змінити таку типову поведінку системи, " -"скористайтеся параметром access_provider = permit. Будь ласка, зауважте, що " -"цей фільтр застосовуватиметься лише до запису користувача LDAP, отже " -"фільтрування, засноване на вкладених групах може не працювати (наприклад, " -"атрибут memberOf для записів AD вказує лише на безпосередні батьківські " -"записи). Якщо вам потрібне фільтрування, засноване на вкладених групах, будь " -"ласка, скористайтеся параметром <citerefentry> <refentrytitle>sssd-simple</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." +"Будь ласка, зауважте, що цей параметр може працювати не так, як очікується, " +"якщо програма, яка викликає PAM, має власний обробник діалогових вікон " +"взаємодії з користувачем. Типовим прикладом є <command>sshd</command> з " +"<option>PasswordAuthentication</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" -msgstr "Приклад:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"Якщо вказано цей параметр і облікового запису не існує, модуль PAM поверне " +"PAM_IGNORE. Це призводить до ігнорування цього модуля оболонкою PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 -msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." -msgstr "" -"У прикладі доступ до цього вузла обмежено користувачами, чий атрибут " -"employeeType встановлено у значення «admin»." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -"Автономне кешування для цієї можливості обмежено визначенням того, чи було " -"надано користувачеві під час попередньої спроби увійти до системи з мережі " -"права доступу. Якщо під час останньої спроби увійти такі права було надано, " -"система продовжуватиме надавати права доступу у автономному режимі. Якщо ж " -"таких прав не було надано, у автономному режимі їх також не буде надано." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" -msgstr "Типове значення: порожній рядок" +"Визначає, що модуль PAM має повертати PAM_IGNORE, якщо не вдається " +"встановити зв’язок із фоновою службою SSSD. У результаті набір інструментів " +"PAM ігнорує цей модуль." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" -msgstr "ldap_account_expire_policy (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" +msgstr "<option>domains</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -"За допомогою цього параметра може бути увімкнено визначення атрибутів " -"керування доступом на боці клієнта." +"Надає змогу адміністратору обмежити домен певною службою PAM, за допомогою " +"якої можна буде виконувати розпізнавання. Формат значення: список назв " +"доменів SSSD, відокремлених комами, так, як їх вказано у файлі sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -"Будь ласка, зауважте, що завжди варто використовувати керування доступом на " -"боці сервера, тобто сервер LDAP має відмовляти у запитах щодо прив’язування " -"з відповідним кодом помилки, навіть якщо вказано правильний пароль." +"Зауваження: слід використовувати разом із параметрами «pam_trusted_users» і " +"«pam_public_domains». Будь ласка, ознайомтеся із сторінкою підручника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше про ці два параметри " +"відповідача PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" -msgstr "Можна використовувати такі значення:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" +msgstr "<option>allow_missing_name</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -"<emphasis>shadow</emphasis>: це значення ldap_user_shadow_expire допомагає " -"визначити, чи завершено строк дії облікового запису." +"Основним призначенням цього параметра є надання SSSD змоги визначати ім'я " +"користувача на основі додаткових даних, наприклад сертифіката зі смарткартки." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -"<emphasis>ad</emphasis>: скористатися значенням 32-бітового поля " -"ldap_user_ad_user_account_control і дозволити доступ, якщо другий біт має " -"нульове значення. Якщо атрибут не буде знайдено, доступ буде дозволено. " -"Також буде перевірено, чи не вичерпано строк дії облікового запису." +"auth sufficient pam_sss.so allow_missing_name\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: використовувати для перевірки доступу значення " -"ldap_ns_account_lock." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 -msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." -msgstr "" -"<emphasis>nds</emphasis>: для перевірки доступу використовувати значення " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled і " -"ldap_user_nds_login_expiration_time. Якщо не буде виявлено жодного з цих " -"атрибутів, надати доступ." +"Поточним основним призначенням є засоби керування входом до системи, які " +"можуть спостерігати за подіями обробки карток на засобі читання смарткарток. " +"Щойно буде вставлено смарткартку, засіб керування входом до системи викличе " +"стос PAM, до якого включено рядок, подібний до <placeholder type=" +"\"programlisting\" id=\"0\"/> Якщо SSSD спробує визначити ім'я користувача " +"на основі вмісту смарткартки, повертає його до pam_sss, який, нарешті, " +"передасть його стосу PAM." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" +msgstr "<option>prompt_always</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -"Будь ласка, зауважте, що параметр налаштування ldap_access_order " -"<emphasis>має</emphasis> включати <quote>expire</quote>, щоб можна було " -"користуватися параметром ldap_account_expire_policy." +"Завжди запитувати у користувача реєстраційні дані. Якщо використано цей " +"параметр, реєстраційні дані, запит на які надійшов від інших модулів PAM, " +"типово, пароль, буде проігноровано, а pam_sss надсилатиме запит щодо " +"реєстраційних даних знову. На основі відповіді на попереднє розпізнавання " +"від SSSD pam_sss може надіслати запит щодо пароля, пін-коду смарткартки або " +"інших реєстраційних даних." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" -msgstr "ldap_access_order (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" +msgstr "<option>try_cert_auth</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 +msgid "" +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -"Список відокремлених комами параметрів керування доступом. Можливі значення " -"списку:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" -msgstr "<emphasis>filter</emphasis>: використовувати ldap_access_filter" +"Спробувати скористатися розпізнаванням на основі сертифікатів, тобто " +"розпізнаванням за допомогою смарткартки або подібного пристрою. Якщо " +"доступною є смарткартка і уможливлено розпізнавання за смарткарткою для " +"служби, система надішле запит щодо пін-коду і буде продовжено процедуру " +"розпізнавання за сертифікатом." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -"<emphasis>lockout</emphasis>: використовувати блокування облікових записів. " -"Якщо встановлено, цей параметр забороняє доступ, якщо існує атрибут ldap " -"«pwdAccountLockedTime» і його значенням є «000001010000Z». Будь ласка, " -"ознайомтеся із документацією до параметра ldap_pwdlockout_dn. Зауважте, що " -"для працездатності цієї можливості слід встановити «access_provider = ldap»." +"Якщо смарткартка виявиться недоступною або розпізнавання за сертифікатом " +"буде заборонено для поточної служби, буде повернуто PAM_AUTHINFO_UNAVAIL." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" +msgstr "<option>require_cert_auth</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -"<emphasis> Будь ласка, зауважте, що цей параметр має нижчий пріоритет за " -"параметр «ppolicy», його може бути вилучено у наступних випусках. </" -"emphasis>" +"Виконати розпізнавання на основі сертифікатів, тобто розпізнавання за " +"допомогою смарткартки або подібного пристрою. Якщо смарткартка виявиться " +"недоступною, система попросить користувача вставити її. SSSD чекатиме на " +"смарткартку, аж доки не завершиться час очікування, визначений переданим " +"значенням p11_wait_for_card_timeout. Див. <citerefentry><refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>, щоб дізнатися " +"більше." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -"<emphasis>ppolicy</emphasis>: використовувати блокування облікових записів. " -"Якщо встановлено, забороняє доступ у випадку наявності атрибута ldap " -"«pwdAccountLockedTime» рівного «000001010000Z» або такого, що відповідає " -"моменту часу у минулому. Значення атрибута «pwdAccountLockedTime» має " -"завершуватися на «Z», що позначає часовий пояс UTC. Підтримки інших часових " -"поясів у поточній версії не передбачено, їхнє використання призводитиме до " -"появи повідомлення про заборону доступу, коли користувачі намагатимуться " -"увійти до системи. Докладніший опис можна знайти у розділі щодо параметра " -"ldap_pwdlockout_dn. Будь ласка, зауважте, що для працездатності цього " -"параметра слід встановити значення «access_provider = ldap»." +"Якщо смарткартка виявиться недоступною на момент завершення часу очікування " +"або розпізнавання за сертифікатом буде заборонено для поточної служби, буде " +"повернуто PAM_AUTHINFO_UNAVAIL." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" -msgstr "" -"<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" +msgstr "ПЕРЕДБАЧЕНІ ТИПИ МОДУЛІВ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> Ці параметри корисні, якщо користувачам " -"потрібні попередження щодо скорого завершення строку дії пароля, і у " -"випадках, коли розпізнавання засновано на відмінних від паролів методах, " -"наприклад на ключах SSH." +"Передбачено всі типи модулів (<option>account</option>, <option>auth</" +"option>, <option>password</option> і <option>session</option>)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -"Відмінність між цими параметрами полягає у дії, яку буде виконано, якщо " -"строк дії пароля вичерпано: pwd_expire_policy_reject — користувачеві буде " -"заборонено вхід до системи, pwd_expire_policy_warn — користувач ще зможе " -"увійти до системи, pwd_expire_policy_renew — система попросить користувача " -"негайно змінити пароль." +"Якщо відповідач PAM SSSD не запущено, наприклад, якщо сокет відповідача PAM " +"є недоступним, pam_sss поверне PAM_USER_UNKNOWN при виклику з модуля " +"<option>account</option>, щоб уникнути проблем із записами користувачів із " +"інших джерел під час керування доступом." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" +msgstr "ФАЙЛИ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -"Зауважте, що якщо строк дії пароля вичерпано, запит із явним повідомленням " -"від SSSD не надходитиме." +"Якщо спроба скидання пароля від імені адміністративного користувача (root) " +"зазнає невдачі, оскільки у відповідному засобі обробки SSSD не передбачено " +"скидання паролів, може бути показано певне повідомлення. У цьому " +"повідомленні, наприклад, можуть міститися настанови щодо скидання пароля." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -"Будь ласка, зауважте, що для того, щоб цим можна було скористатися, слід " -"встановити «access_provider = ldap». Крім того, слід встановити для " -"параметра «ldap_pwd_policy» відповідні правила поводження із паролями." +"Текст повідомлення буде прочитано з файла <filename>pam_sss_pw_reset_message." +"LOC</filename>, де «LOC» — рядок локалі у форматі, повернутому " +"<citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" +"manvolnum> </citerefentry>. Якщо відповідного файла знайдено не буде, буде " +"показано вміст файла <filename>pam_sss_pw_reset_message.txt</filename>. " +"Власником файлів має бути адміністративний користувач (root). Доступ до " +"запису файлів також повинен мати лише адміністративний користувач. Всім " +"іншим користувачам може бути надано лише право читання файлів." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -"<emphasis>authorized_service</emphasis>: використовувати для визначення " -"можливості доступу атрибут authorizedService" +"Пошук цих файлів виконуватиметься у каталозі <filename>/etc/sssd/customize/" +"НАЗВА_ДОМЕНУ/</filename>. Якщо відповідний файл не буде знайдено, буде " +"показано типове повідомлення." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" -msgstr "" -"<emphasis>host</emphasis>: за допомогою цього атрибута вузла можна визначити " -"права доступу" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Додаток локатора Kerberos" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -"<emphasis>rhost</emphasis>: використовувати атрибут rhost для визначення " -"того, чи матиме віддалений вузол доступ" +"Для пошуку KDC для вказаної області Kerberos libkrb5 використовує додаток " +"пошуку Kerberos <command>sssd_krb5_locator_plugin</command>. SSSD надає " +"такий додаток для спрямовування усіх клієнтів Kerberos у системі до єдиного " +"KDC. Загалом, немає значення, з яким KDC клієнт обмінюється даними. Втім, " +"бувають випадки, наприклад, після зміни пароля, коли не усі KDC перебувають " +"в одному стані, оскільки нові дані має бути спочатку відтворено на усіх " +"серверах. Щоб уникнути неочікуваних помилок під час розпізнавання або навіть " +"блокування облікових записів, варто примусово обмежувати обмін даними до " +"одного KDC якомога довше." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -"Будь ласка, зауважте, що значення поля rhost у pam встановлюється програмою. " -"Варто перевірити, що програма надсилає pam, перш ніж вмикати цей варіант " -"керування доступом." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" -msgstr "Типове значення: filter" +"libkrb5 шукатиме додаток пошуку у підкаталозі libkrb5 каталогу додатків " +"Kerberos, див. plugin_base_dir у <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися " +"більше. Додаток можна вимкнути лише вилученням файла додатка. У " +"налаштуваннях Kerberos не передбачено пунктів для його вимикання. Втім, для " +"вимикання додатка для окремих команд можна скористатися змінною середовища " +"SSSD_KRB5_LOCATOR_DISABLE. Крім того, можна скористатися параметром SSSD " +"krb5_use_kdcinfo=False з метою заборони створення даних, які потрібні для " +"роботи додатка. Якщо визначити цю змінну, додаток викликатиметься, але не " +"надаватиме дані функції виклику, отже libkrb5 зможе повернутися до інших " +"методів, які визначено у krb5.conf." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -"Зауважте, що програма повідомить про помилку, якщо одне значення було " -"використано декілька разів." +"Додаток читає дані щодо KDC вказаної області з файла із назвою " +"<filename>kdcinfo.REALM</filename>. Цей файл має містити одну або декілька " +"назв DNS або IP-адрес або у форматі чисел, які відокремлено крапками, IPv4, " +"або у шістнадцятковому форматі IPv6. Можна додати необов'язковий номер порту " +"наприкінці, відокремивши його від решти запису двокрапкою. У цьому випадку, " +"як завжди, адресу IPv6 слід взяти у квадратні дужки. Коректними вважаються " +"такі записи:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" -msgstr "ldap_pwdlockout_dn (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" +msgstr "kdc.example.com" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 -msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" -"За допомогою цього параметра визначається DN запису правил поводження із " -"паролями на сервері LDAP. Будь ласка, зауважте, що те, що цього параметра не " -"буде у sssd.conf, у випадку увімкненого блокування облікових записів " -"призведе до заборони доступу, оскільки атрибути ppolicy на сервері LDAP не " -"можна буде перевірити належним чином." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" +msgstr "kdc.example.com:321" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" -msgstr "Приклад: cn=ppolicy,ou=policies,dc=example,dc=com" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" +msgstr "1.2.3.4" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" -msgstr "Типове значення: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" +msgstr "5.6.7.8:99" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" -msgstr "ldap_deref (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" +msgstr "2001:db8:85a3::8a2e:370:7334" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" +msgstr "[2001:db8:85a3::8a2e:370:7334]:321" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -"Визначає спосіб виконання розіменовування псевдонімів під час виконання " -"пошуку. Можливі такі варіанти:" +"Надавач даних розпізнавання krb5 SSSD, який використовується також " +"надавачами даних IPA та AD, додає до цього файла адресу поточного KDC або " +"контролера домену, який використовує SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -"<emphasis>never</emphasis>: ніколи не виконувати розіменування псевдонімів." +"У середовищах із придатними лише для читання або для читання запису KDC, де, " +"як очікується, клієнти використовуватимуть придатні лише для читання " +"екземпляри для виконання загальних завдань і користуватиметься призначеними " +"для запису KDC лише для внесення змін до налаштувань, зокрема зміни паролів, " +"<filename>kpasswdinfo.REALM</filename> також використовується для визначення " +"придатних до читання і запису KDC. Якщо цей файл існує для вказаної області, " +"його вміст буде використано додатком для надання відповідей на запити щодо " +"сервера kpasswd або kadmin чи щодо певного основного KDC MIT Kerberos. Якщо " +"адреса містить номер порту, для останньої мети використовуватиметься типовий " +"порт KDC 88." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -"<emphasis>searching</emphasis>: розіменування псевдонімів відбувається у " -"межах основного об’єкта, а не на основі визначення місця основного об’єкта " -"пошуку." +"Підтримку використання додатків передбачено не у всіх реалізаціях Kerberos. " +"Якщо у вашій системі немає <command>sssd_krb5_locator_plugin</command>, вам " +"слід внести зміни до /etc/krb5.conf, які відповідатимуть вашій версії " +"Kerberos." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -"<emphasis>finding</emphasis>: розіменування псевдонімів відбувається лише " -"під час визначення місця основного об’єкта пошуку." +"Якщо встановлено будь-яке значення змінної середовища " +"SSSD_KRB5_LOCATOR_DEBUG, діагностичні повідомлення надсилатимуться до stderr." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -"<emphasis>always</emphasis>: розіменування псевдонімів відбувається як під " -"час пошуку, так і під час визначення місця основного об’єкта пошуку." +"Якщо встановлено будь-яке значення для змінної середовища " +"SSSD_KRB5_LOCATOR_DISABLE, додаток буде вимкнено і поверне функції виклику " +"лише KRB5_PLUGIN_NO_HANDLE." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -"Типове значення: не встановлено (обробка бібліотеками LDAP клієнта за " -"сценарієм <emphasis>never</emphasis>)" +"Якщо встановлено будь-яке значення змінної середовища " +"SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES, додаток спробує визначити усі назви " +"DNS у файлі kdcinfo. Типово, додаток повертає функції виклику " +"KRB5_PLUGIN_NO_HANDLE негайно після першої ж невдалої спроби визначення DNS." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" -msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "файл налаштувань інструмента керування доступом «simple» SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -"Надає змогу зберігати локальних користувачів як учасників групи LDAP для " -"серверів, у яких використовується схема RFC2307." +"На цій сторінці довідника описано налаштування простого засобу керування " +"доступом для <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис " +"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -"У деяких середовищах, де використовується схема RFC2307, локальних " -"користувачів можна зробити учасниками груп LDAP додаванням імен цих " -"користувачів до атрибута memberUid. Узгодженість домену може бути " -"скомпрометовано, якщо буде виконано подібне додавання учасника, тому SSSD за " -"звичайних умов вилучає записи користувачів, яких «не вистачає», з кешованих " -"даних щодо участі у групах, щойно nsswitch спробує отримати дані щодо " -"користувачів за допомогою виклику getpw*() або initgroups()." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." -msgstr "" -"У разі використання цього параметра програма повертається до перевірки " -"посилань на локальних користувачів і кешує їх так, що наступні виклики " -"initgroups() розширюватимуть список локальних користувачів додатковими " -"групами LDAP." +"Простий засіб керування доступом надає або забороняє доступ на основі списку " +"допуску або заборони, складеного за назвами облікових записів користувачів " +"та групами. Використовуються такі правила:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" -msgstr "wildcard_limit (ціле число)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Якщо всі списки є порожніми, доступ буде надано." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" -"Визначає верхню межу для кількості записів, які отримуватимуться під час " -"пошуку з використанням символів-замінників." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -"У поточній версії пошук із використанням символів-замінників передбачено " -"лише для відповідача InfoPipe." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" -msgstr "Типове значення: 1000 (часто розмір однієї сторінки)" +"Якщо вказано будь-який зі списків, обробка виконуватиметься за послідовністю " +"«допуск, потім заборона» (allow,deny). Це означає, що будь-яке з правил " +"заборони матиме пріоритет над будь-яким правилом допуску." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -"Всі загальні параметри налаштування, які стосуються доменів SSSD, також " -"стосуються і доменів LDAP. Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки " -"підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися більше. " -"<placeholder type=\"variablelist\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" -msgstr "ПАРАМЕТРИ SUDO" +"Якщо буде вказано один або обидва списки допуску («allow»), всім " +"користувачам поза цими списками доступ буде заборонено." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." msgstr "" -"Докладні настанов щодо налаштовування sudo_provider можна знайти на сторінці " -"довідника (man) <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" -msgstr "ldap_sudorule_object_class (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." -msgstr "Клас об’єктів запису правила sudo у LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" -msgstr "Типове значення: sudoRole" +"Якщо буде вказано лише списки заборони («deny»), всі користувачам поза цими " +"списками доступ буде надано." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" -msgstr "ldap_sudorule_name (рядок)" +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." -msgstr "Атрибут LDAP, що відповідає назві правила sudo." +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" +"Відокремлений комами список користувачів, яким дозволено вхід до системи." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" -msgstr "ldap_sudorule_command (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." -msgstr "Атрибут LDAP, що відповідає назві команди." +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" -msgstr "Типове значення: sudoCommand" +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" +"Список користувачів, яким явно заборонено доступ; записи відокремлюються " +"комами." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" -msgstr "ldap_sudorule_host (рядок)" +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#: sssd-simple.5.xml:100 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -"Атрибут LDAP, який відповідає назві вузла (або IP-адресі вузла, IP-мережі " -"вузла, мережевій групі вузла)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" -msgstr "Типове значення: sudoHost" +"Відокремлений комами список груп, користувачам яких дозволено вхід до " +"системи. Стосується лише груп у межах цього домену SSSD. Локальні групи не " +"обробляються." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" -msgstr "ldap_sudorule_user (рядок)" +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#: sssd-simple.5.xml:111 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -"Атрибут LDAP, що відповідає назві імені користувача (або UID, назві групи " -"або назві мережевої групи користувача)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" -msgstr "Типове значення: sudoUser" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" -msgstr "ldap_sudorule_option (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." -msgstr "Атрибут LDAP, що відповідає параметрам sudo." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" -msgstr "Типове значення: sudoOption" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" -msgstr "ldap_sudorule_runasuser (рядок)" +"Відокремлений комами список груп, користувачам яких явно заборонено доступ. " +"Стосується лише груп у межах цього домену SSSD. Локальні групи не " +"обробляються." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Атрибут LDAP, що відповідає користувачеві, від імені якого можна виконувати " -"команди." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" -msgstr "Типове значення: sudoRunAsUser" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" -msgstr "ldap_sudorule_runasgroup (рядок)" +"Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше про налаштування домену " +"SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -"Атрибут LDAP, що відповідає назві групи або GID, від імені якої можна " -"виконувати команди." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" -msgstr "Типове значення: sudoRunAsGroup" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" -msgstr "ldap_sudorule_notbefore (рядок)" +"Якщо не вказувати значень для жодного зі списків, вважатиметься, що параметр " +"не визначено. Пам’ятайте про це, якщо захочете створити параметри для " +"простого надавача автоматизованими скриптами." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -"Атрибут LDAP, що відповідає даті і часу набуття чинності правилом sudo." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" -msgstr "Типове значення: sudoNotBefore" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" -msgstr "ldap_sudorule_notafter (рядок)" +"Будь ласка, зауважте, що визначення обох параметрів, simple_allow_users і " +"simple_deny_users, є помилкою у налаштуванні." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." -msgstr "Атрибут LDAP, що відповідає даті і часу втрати чинності правилом sudo." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " +"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише параметри, специфічні для простого засобу " +"доступу." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" -msgstr "Типове значення: sudoNotAfter" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" -msgstr "ldap_sudorule_order (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." -msgstr "Атрибут LDAP, що відповідає порядковому номеру правила." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" -msgstr "Типове значення: sudoOrder" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" -msgstr "ldap_sudo_full_refresh_interval (ціле число)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -"Проміжок часу у секундах між послідовними повними оновленнями правил sudo " -"SSSD у автоматичному режимі. Під час таких оновлень буде отримано повний " -"набір правил, що зберігаються на сервері." +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -"Це значення має перевищувати значення " -"<emphasis>ldap_sudo_smart_refresh_interval </emphasis>" +"Повна обробка ієрархії участі у групах виконується до перевірки прав " +"доступу, отже, до списку груп доступу може бути включено навіть вкладені " +"групи. Будь ласка, зауважте, що на результати може вплинути значення " +"параметра «ldap_group_nesting_level». Вам слід встановити для нього достатнє " +"значення. Див. <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" -msgstr "Типове значення: 21600 (6 годин)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "sss-certmap" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" -msgstr "ldap_sudo_smart_refresh_interval (ціле число)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "Правила встановлення відповідності і прив'язування сертифікатів SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -"Проміжок часу у секундах між послідовними кмітливими оновленнями правил sudo " -"SSSD у автоматичному режимі. Під час таких оновлень буде отримано всі дані " -"правил, USN яких перевищує найбільше значення сервера USN, яке відоме SSSD." +"На цій сторінці підручника описано правила, якими можна скористатися у SSSD " +"та інших компонентах для встановлення відповідності сертифікатів X.509 та " +"прив'язування їх до облікових записів." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -"Якщо підтримки атрибутів USN на сервері не передбачено, буде використано " -"дані атрибута modifyTimestamp." +"У кожного правила чотири компоненти — <quote>пріоритетність</quote>, " +"<quote>правило встановлення відповідності</quote>, <quote>правило прив'язки</" +"quote> і <quote>список доменів</quote>. Усі компоненти є необов'язковими. " +"Якщо не вказано <quote>пріоритетність</quote>, буде додано правило із " +"найнижчою пріоритетністю. Типове <quote>правило встановлення відповідності</" +"quote> встановлює відповідність сертифікатів із використанням ключів " +"digitalSignature і розширеним використанням ключів clientAuth. Якщо " +"<quote>правило прив'язки</quote> є порожнім, сертифікати шукатимуться у " +"атрибуті userCertificate у форматі закодованих двійкових даних DER. Якщо не " +"буде вказано доменів, пошук відбуватиметься у локальному домені." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "КОМПОНЕНТИ ПРАВИЛ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "ПРІОРИТЕТНІСТЬ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -"<emphasis>Зауваження:</emphasis> набільше значення USN можна оновити у три " -"способи: 1) повним і кмітливим оновленням sudo (якщо виявлено оновлені " -"правила), 2) нумеруванням користувачів і груп (якщо виявлено увімкнені і " -"оновлені записи користувачів або груп) і 3) повторним з'єднанням із сервером " -"(типово, кожні 15 хвилин, див. <emphasis>ldap_connection_expire_timeout</" -"emphasis>)." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" -msgstr "ldap_sudo_use_host_filter (булеве значення)" +"Правила оброблятимуться за пріоритетністю, номер «0» (нуль) відповідає " +"найвищому рівню пріоритетності. Чим більшим є значення, тим нижчою є " +"пріоритетність. Якщо значення не вказано, пріоритетність вважається " +"найнижчою. Обробку правил буде зупинено, якщо вдасться знайти відповідність " +"правилу, подальші правила не оброблятимуться." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -"Якщо визначено значення true, SSSD отримуватиме лише правила, що стосуються " -"цього комп’ютера (на основі адрес вузла або мережі у форматах IPv4 і IPv6 та " -"назв вузлів)." +"На внутрішньому рівні пріоритетність визначається 32-бітовим цілим числом " +"без знаку. Використання значення пріоритетності, що перевищує 4294967295, " +"призводитиме до виведення повідомлення про помилку." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" -msgstr "ldap_sudo_hostnames (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "ПРАВИЛО ВІДПОВІДНОСТІ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -"Список назв вузлів або повних доменних назв, відокремлених пробілами, для " -"фільтрування списку правил." +"Правило встановлення відповідності використовується для вибору сертифіката, " +"до якого слід застосовувати правило прив'язки. У цьому використовується " +"система, подібна до використаної у параметрі <quote>pkinit_cert_match</" +"quote> Kerberos MIT. Правило складається з ключового слова між символами " +"«<» і «>», яке визначає певну частину сертифіката, і взірцем, який має " +"бути знайдено, для встановлення відповідності правила. Декілька пар ключове " +"слово-взірець можна сполучати за допомогою логічних операторів «&" +"&» (та) або «||» (або)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "<SUBJECT>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -"Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити " -"назву вузла та повну назву комп’ютера у домені у автоматичному режимі." +"За допомогою цього компонент можна встановлювати відповідність частини або " +"усього запису призначення. Для встановлення відповідності використовується " +"синтаксис розширених формальних виразів POSIX. Докладніший опис синтаксису " +"можна знайти на сторінці підручника regex(7)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -"Якщо для <emphasis>ldap_sudo_use_host_filter</emphasis> встановлено значення " -"<emphasis>false</emphasis>, цей параметр ні на що не впливатиме." +"Для встановлення відповідності запис призначення, що зберігається у " +"сертифікаті у форматі кодованого DER ASN.1, буде перетворено на текстовий " +"рядок відповідно до RFC 4514. Це означає, що першою у рядку буде " +"найспецифічніша компонента. Будь ласка, зауважте, що у RFC 4514 описано не " +"усі можливі назви атрибутів. Включеними вважаються такі назви: «CN», «L», " +"«ST», «O», «OU», «C», «STREET», «DC» і «UID». Назви інших атрибутів може " +"бути показано у різний спосіб на різних платформах і у різних інструментах. " +"Щоб уникнути двозначностей, не варто використовувати ці атрибути і вживати " +"їх у відповідних формальних виразах." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" -msgstr "Типове значення: не вказано" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "Приклад: <SUBJECT>.*,DC=MY,DC=DOMAIN" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" -msgstr "ldap_sudo_ip (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "<ISSUER>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -"Список адрес вузлів або мереж у форматах IPv4 і IPv6 для фільтрування списку " -"правил." +"За допомогою цього компонент можна встановлювати відповідність частини або " +"усього запису видавця. Цього запису стосуються усі коментарі щодо <" +"SUBJECT>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." -msgstr "" -"Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити " -"адресу у автоматичному режимі." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" -msgstr "ldap_sudo_include_netgroups (булеве значення)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." -msgstr "" -"Якщо вказано значення true, SSSD отримуватиме всі правила, що містять " -"мережеву групу (netgroup) у атрибуті sudoHost." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "Приклад: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" -msgstr "ldap_sudo_include_regexp (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "<KU>використання-ключа" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -"Якщо вказано значення true, SSSD отримуватиме всі правила, що містять шаблон " -"заміни у атрибуті sudoHost." +"За допомогою цього параметра можна визначити значення використання ключа, " +"які повинен містити сертифікат. У списку значень, відокремлених комами, " +"можна використовувати такі значення:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" -msgstr "" -"Використання символів-замінників є дуже обчислювально вартісною операцією " -"для сервера LDAP!" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "digitalSignature" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 -msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" -msgstr "" -"На цій сторінці довідника наведено дані щодо відповідності назв атрибутів. " -"Докладний опис семантики атрибутів, пов’язаних з sudo, можна знайти у " -"довідці з <citerefentry> <refentrytitle>sudoers.ldap</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "nonRepudiation" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" -msgstr "ПАРАМЕТРИ AUTOFS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 -msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." -msgstr "" -"Деякі типові значення параметрів, описаних нижче, залежать від бази даних " -"LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "dataEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" -msgstr "ldap_autofs_map_master_name (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "keyAgreement" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." -msgstr "Назва основної карти автоматичного монтування у LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "keyCertSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" -msgstr "Типове значення: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "cRLSign" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" -msgstr "ldap_autofs_map_object_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "encipherOnly" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." -msgstr "Клас об’єктів запису карти автоматичного монтування у LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "decipherOnly" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -"Типове значення: nisMap (rfc2307, autofs_provider=ad), у інших випадках " -"automountMap" +"Для спеціальних випадків можна також використати числове значення у " +"діапазоні 32-бітових цілих чисел без знаку." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" -msgstr "ldap_autofs_map_name (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "Приклад: <KU>digitalSignature,keyEncipherment" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." -msgstr "Назва запису карти автоматичного монтування у LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "<EKU>розширене-використання-ключа" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -"Типове значення: nisMapName (rfc2307, autofs_provider=ad), у інших випадках " -"automountMapName" +"За допомогою цього параметра можна визначити значення розширеного " +"використання ключа, які повинен містити сертифікат. У списку значень, " +"відокремлених комами, можна використовувати такі значення:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" -msgstr "ldap_autofs_entry_object_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "serverAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 -msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." -msgstr "" -"Клас об'єктів автоматичного монтування LDAP. Цей запис зазвичай відповідає " -"точні монтування." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "clientAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" -msgstr "" -"Типове значення: nisObject (rfc2307, autofs_provider=ad), у інших випадках " -"automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "codeSigning" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" -msgstr "ldap_autofs_entry_key (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "emailProtection" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 -msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." -msgstr "" -"Ключ запису автоматичного монтування LDAP. Цей запис зазвичай відповідає " -"точні монтування." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "timeStamping" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" -msgstr "" -"Типове значення: cn (rfc2307, autofs_provider=ad), у інших випадках " -"automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "OCSPSigning" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" -msgstr "ldap_autofs_entry_value (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "KPClientAuth" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 -msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" -msgstr "" -"Типове значення: nisMapEntry (rfc2307, autofs_provider=ad), у інших випадках " -"automountInformation" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "pkinit" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "msScLogin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Розширені використання ключа, які не потрапили до вказаного вище списку, " +"можна визначити за допомогою їхнього OID у точково-десятковому позначенні." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" -msgstr "ДОДАТКОВІ ПАРАМЕТРИ" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "Приклад: <EKU>clientAuth,1.3.6.1.5.2.3.4" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" -msgstr "ldap_netgroup_search_base (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "<SAN>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" -msgstr "ldap_user_search_base (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" -msgstr "ldap_group_search_base (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" -msgstr "<note>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -"Якщо увімкнено параметр <quote>ldap_use_tokengroups</quote>, пошуки в Active " -"Directory не буде обмежено — він повертатиме усі дані щодо участі у групах, " -"навіть без прив'язки до GID. Рекомендуємо вимкнути цю можливість, якщо назви " -"груп показуються неправильно." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" -msgstr "</note>" +"Для сумісності із використанням Kerberos MIT цей параметр встановлюватиме " +"відповідність реєстраційних даних Kerberos у PKINIT або AD NT Principal SAN " +"так, як це робить <SAN:Principal>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" -msgstr "ldap_sudo_search_base (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "Приклад: <SAN>.*@MY\\.REALM" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" -msgstr "ldap_autofs_search_base (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "<SAN:Principal>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 -msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -"Підтримку цих параметрів передбачено доменами LDAP, але користуватися ними " -"слід обережно. Будь ласка, використовуйте їх у налаштуваннях, лише якщо вам " -"відомі наслідки ваших дій. <placeholder type=\"variablelist\" id=\"0\"/> " -"<placeholder type=\"variablelist\" id=\"1\"/>" +"Встановити відповідність реєстраційних даних Kerberos у PKINIT або AD NT " +"Principal SAN." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" -msgstr "ПРИКЛАД" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "Приклад: <SAN:Principal>.*@MY\\.REALM" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." -msgstr "" -"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " -"чином, а LDAP встановлено на один з доменів з розділу " -"<replaceable>[domains]</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "<SAN:ntPrincipalName>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"Встановити відповідність реєстраційних даних Kerberos з AD NT Principal SAN." -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "Приклад: <SAN:ntPrincipalName>.*@MY.AD.REALM" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" -msgstr "ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "<SAN:pkinit>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 -msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." -msgstr "" -"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " -"чином і використано ldap_access_order=lockout." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "Встановити відповідність реєстраційних даних Kerberos з SAN PKINIT." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" -msgstr "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "Приклад: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" -msgstr "ЗАУВАЖЕННЯ" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "<SAN:dotted-decimal-oid>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -"Описи деяких з параметрів налаштування на цій сторінці підручника засновано " -"на даних сторінки підручника (man) <citerefentry> <refentrytitle>ldap.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> з пакунка OpenLDAP " -"2.4." +"Отримати значення компонента SAN otherName, яке задано OID у крапково-" +"десятковому позначенні, обробити його як рядок і спробувати встановити " +"відповідність формальному виразу." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" -msgstr "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "Приклад: <SAN:1.2.3.4>test" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" -msgstr "модуль PAM для SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "<SAN:otherName>base64-string" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"Виконати спробу встановлення двійкової відповідності блоку у кодуванні " +"base64 із усіма компонентами SAN otherName. За допомогою цього параметра " +"можна встановлювати відповідність із нетиповими компонентами otherName із " +"особливими кодуваннями, які не можна обробляти як рядки." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." -msgstr "" -"<command>pam_sss.so</command> — інтерфейс PAM до System Security Services " -"daemon (SSSD). Помилки та результати роботи записуються за допомогою " -"<command>syslog(3)</command> до запису LOG_AUTHPRIV." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "Приклад: <SAN:otherName>MTIz" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" -msgstr "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "<SAN:rfc822Name>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." -msgstr "Не показувати у журналі повідомлень для невідомих користувачів." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" -msgstr "<option>forward_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 -msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." -msgstr "" -"Якщо встановлено значення <option>forward_pass</option>, введений пароль " -"буде збережено у стосі паролів для використання іншими модулями PAM." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" -msgstr "<option>use_first_pass</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 -msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." -msgstr "" -"Використання аргументу use_first_pass примушує модуль до використання пароля " -"з модулів попереднього рівня. Ніяких запитів до користувача не " -"надсилатиметься, — якщо пароль не буде виявлено або пароль виявиться " -"непридатним, доступ користувачеві буде заборонено." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "Встановити відповідність значення SAN rfc822Name." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" -msgstr "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "Приклад: <SAN:rfc822Name>.*@email\\.domain" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." -msgstr "" -"Визначає ситуацію, коли зміна пароля примушує модуль встановлювати новий " -"пароль на основі пароля, наданого попереднім модулем обробки паролів зі " -"стосу модулів." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "<SAN:dNSName>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" -msgstr "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "Встановити відповідність значення SAN dNSName." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 -msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." -msgstr "" -"Якщо вказано, користувача запитуватимуть про пароль ще N разів, якщо перший " -"раз розпізнавання зазнає невдачі. Типовим значенням є 0." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "Приклад: <SAN:dNSName>.*\\.my\\.dns\\.domain" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 -msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." -msgstr "" -"Будь ласка, зауважте, що цей параметр може працювати не так, як очікується, " -"якщо програма, яка викликає PAM, має власний обробник діалогових вікон " -"взаємодії з користувачем. Типовим прикладом є <command>sshd</command> з " -"<option>PasswordAuthentication</option>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "<SAN:x400Address>рядок-base64" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" -msgstr "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "Встановити двійкову відповідність значення SAN x400Address." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 -msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." -msgstr "" -"Якщо вказано цей параметр і облікового запису не існує, модуль PAM поверне " -"PAM_IGNORE. Це призводить до ігнорування цього модуля оболонкою PAM." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "Приклад: <SAN:x400Address>MTIz" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" -msgstr "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "<SAN:directoryName>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -"Визначає, що модуль PAM має повертати PAM_IGNORE, якщо не вдається " -"встановити зв’язок із фоновою службою SSSD. У результаті набір інструментів " -"PAM ігнорує цей модуль." +"Встановити відповідність значення SAN directoryName. Цього параметра " +"стосуються ті самі коментарі, які було вказано для параметрів <ISSUER> " +"та <SUBJECT>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" -msgstr "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "Приклад: <SAN:directoryName>.*,DC=com" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 -msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." -msgstr "" -"Надає змогу адміністратору обмежити домен певною службою PAM, за допомогою " -"якої можна буде виконувати розпізнавання. Формат значення: список назв " -"доменів SSSD, відокремлених комами, так, як їх вказано у файлі sssd.conf." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "<SAN:ediPartyName>рядок-base64" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 -msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." -msgstr "" -"Зауваження: слід використовувати разом із параметрами «pam_trusted_users» і " -"«pam_public_domains». Будь ласка, ознайомтеся із сторінкою підручника " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>, щоб дізнатися більше про ці два параметри " -"відповідача PAM." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "Встановити двійкову відповідність значення SAN ediPartyName." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" -msgstr "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "Приклад: <SAN:ediPartyName>MTIz" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 -msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." -msgstr "" -"Основним призначенням цього параметра є надання SSSD змоги визначати ім'я " -"користувача на основі додаткових даних, наприклад сертифіката зі смарткартки." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "<SAN:uniformResourceIdentifier>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " -msgstr "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "Встановити відповідність значення SAN uniformResourceIdentifier." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 -msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." -msgstr "" -"Поточним основним призначенням є засоби керування входом до системи, які " -"можуть спостерігати за подіями обробки карток на засобі читання смарткарток. " -"Щойно буде вставлено смарткартку, засіб керування входом до системи викличе " -"стос PAM, до якого включено рядок, подібний до <placeholder type=" -"\"programlisting\" id=\"0\"/> Якщо SSSD спробує визначити ім'я користувача " -"на основі вмісту смарткартки, повертає його до pam_sss, який, нарешті, " -"передасть його стосу PAM." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "Приклад: <SAN:uniformResourceIdentifier>URN:.*" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" -msgstr "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "<SAN:iPAddress>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 -msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." -msgstr "" -"Завжди запитувати у користувача реєстраційні дані. Якщо використано цей " -"параметр, реєстраційні дані, запит на які надійшов від інших модулів PAM, " -"типово, пароль, буде проігноровано, а pam_sss надсилатиме запит щодо " -"реєстраційних даних знову. На основі відповіді на попереднє розпізнавання " -"від SSSD pam_sss може надіслати запит щодо пароля, пін-коду смарткартки або " -"інших реєстраційних даних." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "Встановити відповідність значення SAN iPAddress." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" -msgstr "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "Приклад: <SAN:iPAddress>192\\.168\\..*" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 -msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" -msgstr "" -"Спробувати скористатися розпізнаванням на основі сертифікатів, тобто " -"розпізнаванням за допомогою смарткартки або подібного пристрою. Якщо " -"доступною є смарткартка і уможливлено розпізнавання за смарткарткою для " -"служби, система надішле запит щодо пін-коду і буде продовжено процедуру " -"розпізнавання за сертифікатом." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "<SAN:registeredID>формальний-вираз" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 -msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -"Якщо смарткартка виявиться недоступною або розпізнавання за сертифікатом " -"буде заборонено для поточної служби, буде повернуто PAM_AUTHINFO_UNAVAIL." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" -msgstr "<option>require_cert_auth</option>" +"Встановити значення SAN registeredID у форматі точково-десяткового рядка." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." -msgstr "" -"Виконати розпізнавання на основі сертифікатів, тобто розпізнавання за " -"допомогою смарткартки або подібного пристрою. Якщо смарткартка виявиться " -"недоступною, система попросить користувача вставити її. SSSD чекатиме на " -"смарткартку, аж доки не завершиться час очікування, визначений переданим " -"значенням p11_wait_for_card_timeout. Див. <citerefentry><refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>, щоб дізнатися " -"більше." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "Приклад: <SAN:registeredID>1\\.2\\.3\\..*" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" -"Якщо смарткартка виявиться недоступною на момент завершення часу очікування " -"або розпізнавання за сертифікатом буде заборонено для поточної служби, буде " -"повернуто PAM_AUTHINFO_UNAVAIL." - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" -msgstr "ПЕРЕДБАЧЕНІ ТИПИ МОДУЛІВ" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 -msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." -msgstr "" -"Передбачено всі типи модулів (<option>account</option>, <option>auth</" -"option>, <option>password</option> і <option>session</option>)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "ПРАВИЛО ПРИВʼЯЗУВАННЯ" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -"Якщо відповідач PAM SSSD не запущено, наприклад, якщо сокет відповідача PAM " -"є недоступним, pam_sss поверне PAM_USER_UNKNOWN при виклику з модуля " -"<option>account</option>, щоб уникнути проблем із записами користувачів із " -"інших джерел під час керування доступом." - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" -msgstr "ФАЙЛИ" +"Правило прив'язки використовується для пов'язування сертифіката із одним або " +"декількома обліковими записами. Далі, смарткарткою із сертифікатом та " +"відповідним закритим ключем можна скористатися для розпізнавання за одним з " +"цих облікових записів." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -"Якщо спроба скидання пароля від імені адміністративного користувача (root) " -"зазнає невдачі, оскільки у відповідному засобі обробки SSSD не передбачено " -"скидання паролів, може бути показано певне повідомлення. У цьому " -"повідомленні, наприклад, можуть міститися настанови щодо скидання пароля." +"У поточній версії SSSD на базовому рівні підтримує пошук даних користувачів " +"лише у LDAP (винятком є лише засіб надання проксі, який у цьому контексті є " +"недоречним). Через це правило прив'язки засновано на синтаксисі фільтрування " +"пошуку LDAP з шаблонами для додавання вмісту сертифікатів до фільтра. " +"Очікується, що цей фільтр міститиме лише специфічні дані, потрібні для " +"прив'язки, яку функція виклику вбудовуватиме до іншого фільтра для виконання " +"справжнього пошуку. Через це рядок фільтрування має починатися із " +"завершуватися «(» і «)», відповідно." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." -msgstr "" -"Текст повідомлення буде прочитано з файла <filename>pam_sss_pw_reset_message." -"LOC</filename>, де «LOC» — рядок локалі у форматі, повернутому " -"<citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" -"manvolnum> </citerefentry>. Якщо відповідного файла знайдено не буде, буде " -"показано вміст файла <filename>pam_sss_pw_reset_message.txt</filename>. " -"Власником файлів має бути адміністративний користувач (root). Доступ до " -"запису файлів також повинен мати лише адміністративний користувач. Всім " -"іншим користувачам може бути надано лише право читання файлів." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" +"Загалом, рекомендується використовувати атрибути з сертифіката і додати їх " +"до спеціальних атрибутів об'єкта користувача LDAP. Наприклад, можна " +"скористатися атрибутом «altSecurityIdentities» у AD або атрибутом " +"«ipaCertMapData» для IPA." -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -"Пошук цих файлів виконуватиметься у каталозі <filename>/etc/sssd/customize/" -"НАЗВА_ДОМЕНУ/</filename>. Якщо відповідний файл не буде знайдено, буде " -"показано типове повідомлення." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" -msgstr "sssd_krb5_locator_plugin" +"Бажаним шляхом є читання із сертифіката специфічних для користувача даних, " +"наприклад адреси електронної пошти, і пошук цих даних на сервері LDAP. " +"Причиною є те, що специфічні для користувача дані у LDAP можу бути з різних " +"причин змінено, що розірве прив'язку. З іншого боку, якщо скористатися " +"бажаним шляхом, розірвати прив'язку буде важко." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" -msgstr "Додаток локатора Kerberos" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -"Для пошуку KDC для вказаної області Kerberos libkrb5 використовує додаток " -"пошуку Kerberos <command>sssd_krb5_locator_plugin</command>. SSSD надає " -"такий додаток для спрямовування усіх клієнтів Kerberos у системі до єдиного " -"KDC. Загалом, немає значення, з яким KDC клієнт обмінюється даними. Втім, " -"бувають випадки, наприклад, після зміни пароля, коли не усі KDC перебувають " -"в одному стані, оскільки нові дані має бути спочатку відтворено на усіх " -"серверах. Щоб уникнути неочікуваних помилок під час розпізнавання або навіть " -"блокування облікових записів, варто примусово обмежувати обмін даними до " -"одного KDC якомога довше." +"Цей шаблон додасть повний DN видавця, перетворений на рядок відповідно до " +"RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN " +"стоїть останнім), буде використано параметр із префіксом «_x500»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -"libkrb5 шукатиме додаток пошуку у підкаталозі libkrb5 каталогу додатків " -"Kerberos, див. plugin_base_dir у <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися " -"більше. Додаток можна вимкнути лише вилученням файла додатка. У " -"налаштуваннях Kerberos не передбачено пунктів для його вимикання. Втім, для " -"вимикання додатка для окремих команд можна скористатися змінною середовища " -"SSSD_KRB5_LOCATOR_DISABLE. Крім того, можна скористатися параметром SSSD " -"krb5_use_kdcinfo=False з метою заборони створення даних, які потрібні для " -"роботи додатка. Якщо визначити цю змінну, додаток викликатиметься, але не " -"надаватиме дані функції виклику, отже libkrb5 зможе повернутися до інших " -"методів, які визначено у krb5.conf." +"У варіантах перетворення, назви яких починаються з «ad_», " +"використовуватимуться назви атрибутів, які використовуються AD, наприклад " +"«S», замість «ST»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -"Додаток читає дані щодо KDC вказаної області з файла із назвою " -"<filename>kdcinfo.REALM</filename>. Цей файл має містити одну або декілька " -"назв DNS або IP-адрес або у форматі чисел, які відокремлено крапками, IPv4, " -"або у шістнадцятковому форматі IPv6. Можна додати необов'язковий номер порту " -"наприкінці, відокремивши його від решти запису двокрапкою. У цьому випадку, " -"як завжди, адресу IPv6 слід взяти у квадратні дужки. Коректними вважаються " -"такі записи:" +"У варіантах перетворення, назви яких починаються з «nss_», " +"використовуватимуться назви атрибутів, які використовуються NSS." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" -msgstr "kdc.example.com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" +"Типовим варіантом перетворення є «nss», тобто назви атрибутів відповідно до " +"NSS і упорядковування за LDAP/RFC 4514." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" -msgstr "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" +"Приклад: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" -msgstr "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" -msgstr "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" +"Цей шаблон додасть повний DN призначення, перетворений на рядок відповідно " +"до RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN " +"стоїть останнім), буде використано параметр із префіксом «_x500»." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" -msgstr "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" +"Приклад: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" -msgstr "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "{cert[!(bin|base64)]}" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -"Надавач даних розпізнавання krb5 SSSD, який використовується також " -"надавачами даних IPA та AD, додає до цього файла адресу поточного KDC або " -"контролера домену, який використовує SSSD." +"Цей шаблон додасть увесь сертифікат у кодуванні DER як рядок до фільтра " +"пошуку. Залежно від параметра перетворення, двійковий сертифікат або буде " +"преетворено на екрановану послідовність шістнадцяткових чисел у форматі " +"«\\xx», або на код base64. Типовим варіантом є екранована шістнадцяткова " +"послідовність, її може бути, наприклад, використано з атрибутом LDAP " +"«userCertificate;binary»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "Приклад: (userCertificate;binary={cert!bin})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "{subject_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -"У середовищах із придатними лише для читання або для читання запису KDC, де, " -"як очікується, клієнти використовуватимуть придатні лише для читання " -"екземпляри для виконання загальних завдань і користуватиметься призначеними " -"для запису KDC лише для внесення змін до налаштувань, зокрема зміни паролів, " -"<filename>kpasswdinfo.REALM</filename> також використовується для визначення " -"придатних до читання і запису KDC. Якщо цей файл існує для вказаної області, " -"його вміст буде використано додатком для надання відповідей на запити щодо " -"сервера kpasswd або kadmin чи щодо певного основного KDC MIT Kerberos. Якщо " -"адреса містить номер порту, для останньої мети використовуватиметься типовий " -"порт KDC 88." +"Цей шаблон додасть реєстраційні дані Kerberos, які буде взято або з SAN, " +"який використовується pkinit, або з реєстраційних даних AD. Компонент " +"«short_name» відповідає першій частині реєстраційного запису до символу «@»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -"Підтримку використання додатків передбачено не у всіх реалізаціях Kerberos. " -"Якщо у вашій системі немає <command>sssd_krb5_locator_plugin</command>, вам " -"слід внести зміни до /etc/krb5.conf, які відповідатимуть вашій версії " -"Kerberos." +"Приклад: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "{subject_pkinit_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -"Якщо встановлено будь-яке значення змінної середовища " -"SSSD_KRB5_LOCATOR_DEBUG, діагностичні повідомлення надсилатимуться до stderr." +"Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що " +"використовується pkinit. Компонент «short_name» відповідає першій частині " +"реєстраційного запису до символу «@»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -"Якщо встановлено будь-яке значення для змінної середовища " -"SSSD_KRB5_LOCATOR_DISABLE, додаток буде вимкнено і поверне функції виклику " -"лише KRB5_PLUGIN_NO_HANDLE." +"Приклад: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "{subject_nt_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -"Якщо встановлено будь-яке значення змінної середовища " -"SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES, додаток спробує визначити усі назви " -"DNS у файлі kdcinfo. Типово, додаток повертає функції виклику " -"KRB5_PLUGIN_NO_HANDLE негайно після першої ж невдалої спроби визначення DNS." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" -msgstr "sssd-simple" +"Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що " +"використовується AD. Компонент «short_name» відповідає першій частині " +"реєстраційного запису до символу «@»." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" -msgstr "файл налаштувань інструмента керування доступом «simple» SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "{subject_rfc822_name[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -"На цій сторінці довідника описано налаштування простого засобу керування " -"доступом для <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис " -"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"Цей шаблон додасть рядок, який зберігається у компоненті rfc822Name SAN, " +"типово, адресу електронної пошти. Компонент «short_name» відповідає першій " +"частині адреси до символу «@»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -"Простий засіб керування доступом надає або забороняє доступ на основі списку " -"допуску або заборони, складеного за назвами облікових записів користувачів " -"та групами. Використовуються такі правила:" +"Приклад: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "Якщо всі списки є порожніми, доступ буде надано." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "{subject_dns_name[.short_name]}" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -"Якщо вказано будь-який зі списків, обробка виконуватиметься за послідовністю " -"«допуск, потім заборона» (allow,deny). Це означає, що будь-яке з правил " -"заборони матиме пріоритет над будь-яким правилом допуску." +"Цей шаблон додасть рядок, який зберігається у компоненті dNSName SAN, " +"типово, повну назву вузла. Компонент «short_name» відповідає першій частині " +"назви до першого символу «.»." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -"Якщо буде вказано один або обидва списки допуску («allow»), всім " -"користувачам поза цими списками доступ буде заборонено." +"Приклад: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "{subject_uri}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -"Якщо буде вказано лише списки заборони («deny»), всі користувачам поза цими " -"списками доступ буде надано." +"Цей шаблон додає рядок, який зберігається у компоненті " +"uniformResourceIdentifier SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" -msgstr "simple_allow_users (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "Приклад: (uri={subject_uri})" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." -msgstr "" -"Відокремлений комами список користувачів, яким дозволено вхід до системи." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "{subject_ip_address}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" -msgstr "simple_deny_users (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "Цей шаблон додає рядок, який зберігається у компоненті iPAddress SAN." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." -msgstr "" -"Список користувачів, яким явно заборонено доступ; записи відокремлюються " -"комами." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "Приклад: (ip={subject_ip_address})" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" -msgstr "simple_allow_groups (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "{subject_x400_address}" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -"Відокремлений комами список груп, користувачам яких дозволено вхід до " -"системи. Стосується лише груп у межах цього домену SSSD. Локальні групи не " -"обробляються." +"Цей шаблон додає значення, яке зберігається у компоненті x400Address SAN як " +"послідовність екранованих шістнадцяткових чисел." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" -msgstr "simple_deny_groups (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "Приклад: (attr:binary={subject_x400_address})" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -"Відокремлений комами список груп, користувачам яких явно заборонено доступ. " -"Стосується лише груп у межах цього домену SSSD. Локальні групи не " -"обробляються." +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -"Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>, щоб дізнатися більше про налаштування домену " -"SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" +"Цей шаблон додасть рядок DN значення, яке зберігається у компоненті " +"directoryName SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "Приклад: (orig_dn={subject_directory_name})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "{subject_ediparty_name}" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -"Якщо не вказувати значень для жодного зі списків, вважатиметься, що параметр " -"не визначено. Пам’ятайте про це, якщо захочете створити параметри для " -"простого надавача автоматизованими скриптами." +"Цей шаблон додає значення, яке зберігається у компоненті ediPartyName SAN як " +"послідовність екранованих шістнадцяткових чисел." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." -msgstr "" -"Будь ласка, зауважте, що визначення обох параметрів, simple_allow_users і " -"simple_deny_users, є помилкою у налаштуванні." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "Приклад: (attr:binary={subject_ediparty_name})" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "{subject_registered_id}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " -"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " -"У прикладі продемонстровано лише параметри, специфічні для простого засобу " -"доступу." +"Цей шаблон додає OID, який зберігається у компоненті registeredID SAN у " +"форматі точково-десяткового рядка." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "Приклад: (oid={subject_registered_id})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +"Шаблони для додавання даних сертифікатів до фільтра пошуку засновано на " +"рядках форматування у стилі Python. Воли складаються з ключового слова у " +"фігурних дужках із додатковим підкомпонентом-специфікатором, відокремленим " +"«.», або додатковим параметром перетворення-форматування, відокремленим «!». " +"Дозволені значення: <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "СПИСОК ДОМЕНІВ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -"Повна обробка ієрархії участі у групах виконується до перевірки прав " -"доступу, отже, до списку груп доступу може бути включено навіть вкладені " -"групи. Будь ласка, зауважте, що на результати може вплинути значення " -"параметра «ldap_group_nesting_level». Вам слід встановити для нього достатнє " -"значення. Див. <citerefentry> <refentrytitle>sssd-ldap</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." +"Якщо список доменів не є порожнім, записи користувачів, прив'язані до " +"заданого сертифіката, шукаються не лише у локальному домені, а і у доменах " +"зі списку, якщо вони відомі SSSD. Домени, які не відомі SSSD, буде " +"проігноровано." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" -msgstr "sss-certmap" +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" -msgstr "Правила встановлення відповідності і прив'язування сертифікатів SSSD" +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Модуль надання даних IPA SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#: sssd-ipa.5.xml:23 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"На цій сторінці підручника описано правила, якими можна скористатися у SSSD " -"та інших компонентах для встановлення відповідності сертифікатів X.509 та " -"прив'язування їх до облікових записів." +"На цій сторінці довідника описано налаштування засобу керування доступом IPA " +"для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#: sssd-ipa.5.xml:36 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -"У кожного правила чотири компоненти — <quote>пріоритетність</quote>, " -"<quote>правило встановлення відповідності</quote>, <quote>правило прив'язки</" -"quote> і <quote>список доменів</quote>. Усі компоненти є необов'язковими. " -"Якщо не вказано <quote>пріоритетність</quote>, буде додано правило із " -"найнижчою пріоритетністю. Типове <quote>правило встановлення відповідності</" -"quote> встановлює відповідність сертифікатів із використанням ключів " -"digitalSignature і розширеним використанням ключів clientAuth. Якщо " -"<quote>правило прив'язки</quote> є порожнім, сертифікати шукатимуться у " -"атрибуті userCertificate у форматі закодованих двійкових даних DER. Якщо не " -"буде вказано доменів, пошук відбуватиметься у локальному домені." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" -msgstr "КОМПОНЕНТИ ПРАВИЛ" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" -msgstr "ПРІОРИТЕТНІСТЬ" +"Інструмент надання даних IPA — модуль, який використовується для " +"встановлення з’єднання з сервером IPA. (Інформацію щодо серверів IPA можна " +"знайти на сайті freeipa.org.) Цей інструмент надання доступу потребує " +"включення комп’ютера до домену IPA. Налаштування майже повністю " +"автоматизовано, дані для нього отримуються безпосередньо з сервера." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -"Правила оброблятимуться за пріоритетністю, номер «0» (нуль) відповідає " -"найвищому рівню пріоритетності. Чим більшим є значення, тим нижчою є " -"пріоритетність. Якщо значення не вказано, пріоритетність вважається " -"найнижчою. Обробку правил буде зупинено, якщо вдасться знайти відповідність " -"правилу, подальші правила не оброблятимуться." +"Засіб надання даних IPA уможливлює для SSSD використання засобу надання " +"даних профілів <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> та засобу надання даних " +"розпізнавання <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> з оптимізацією для середовищ IPA. " +"Засіб надання даних IPA приймає ті самі параметри, які використовуються " +"засобами надання даних sssd-ldap та sssd-krb5, із деякими виключеннями. " +"Втім, встановлювати ці параметри не обов'язково і не рекомендовано." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -"На внутрішньому рівні пріоритетність визначається 32-бітовим цілим числом " -"без знаку. Використання значення пріоритетності, що перевищує 4294967295, " -"призводитиме до виведення повідомлення про помилку." - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" -msgstr "ПРАВИЛО ВІДПОВІДНОСТІ" +"Засіб надання даних IPA в основному копіює типові параметри традиційних " +"засобів надання даних ldap і krb5 із деякими виключенням. Відмінності " +"наведено у розділі <quote>ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -"Правило встановлення відповідності використовується для вибору сертифіката, " -"до якого слід застосовувати правило прив'язки. У цьому використовується " -"система, подібна до використаної у параметрі <quote>pkinit_cert_match</" -"quote> Kerberos MIT. Правило складається з ключового слова між символами " -"«<» і «>», яке визначає певну частину сертифіката, і взірцем, який має " -"бути знайдено, для встановлення відповідності правила. Декілька пар ключове " -"слово-взірець можна сполучати за допомогою логічних операторів «&" -"&» (та) або «||» (або)." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" -msgstr "<SUBJECT>формальний-вираз" +"Як інструмент надання доступу, інструмент надання даних IPA для керування " +"доступом використовує правила HBAC (host-based access control або керування " +"доступом на основі даних щодо вузлів). Докладнішу інформацію щодо HBAC можна " +"отримати на сайті freeipa.org. У налаштуванні керування доступом на боці " +"клієнта немає потреби." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -"За допомогою цього компонент можна встановлювати відповідність частини або " -"усього запису призначення. Для встановлення відповідності використовується " -"синтаксис розширених формальних виразів POSIX. Докладніший опис синтаксису " -"можна знайти на сторінці підручника regex(7)." +"Якщо у sssd.conf вказано <quote>auth_provider=ipa</quote> або " +"<quote>access_provider=ipa</quote>, для id_provider також має бути вказано " +"<quote>ipa</quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -"Для встановлення відповідності запис призначення, що зберігається у " -"сертифікаті у форматі кодованого DER ASN.1, буде перетворено на текстовий " -"рядок відповідно до RFC 4514. Це означає, що першою у рядку буде " -"найспецифічніша компонента. Будь ласка, зауважте, що у RFC 4514 описано не " -"усі можливі назви атрибутів. Включеними вважаються такі назви: «CN», «L», " -"«ST», «O», «OU», «C», «STREET», «DC» і «UID». Назви інших атрибутів може " -"бути показано у різний спосіб на різних платформах і у різних інструментах. " -"Щоб уникнути двозначностей, не варто використовувати ці атрибути і вживати " -"їх у відповідних формальних виразах." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" -msgstr "Приклад: <SUBJECT>.*,DC=MY,DC=DOMAIN" +"Інструмент надання даних IPA використовуватиме відповідач PAC, якщо квитки " +"Kerberos користувачів з довірених областей містять PAC. Для полегшення " +"налаштовування відповідач PAC запускається автоматично, якщо налаштовано " +"інструмент надання даних ідентифікаторів IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" -msgstr "<ISSUER>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -"За допомогою цього компонент можна встановлювати відповідність частини або " -"усього запису видавця. Цього запису стосуються усі коментарі щодо <" -"SUBJECT>." +"Визначає назву домену IPA. Є необов’язковим. Якщо не вказано, буде " +"використано назву домену з налаштувань." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" -msgstr "Приклад: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "<KU>використання-ключа" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Впорядкований за пріоритетом список IP-адрес або назв вузлів, відокремлених " +"комами, серверів IPA, з якими має встановити з’єднання SSSD. Докладніші " +"відомості щодо резервних серверів викладено у розділі «РЕЗЕРВ». Цей список є " +"необов’язковим, якщо увімкнено автоматичне виявлення служб. Докладніші " +"відомості щодо автоматичного виявлення служб наведено у розділі «ПОШУК " +"СЛУЖБ»." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -"За допомогою цього параметра можна визначити значення використання ключа, " -"які повинен містити сертифікат. У списку значень, відокремлених комами, " -"можна використовувати такі значення:" +"Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не " +"відповідає повній назві, що використовується доменом IPA для розпізнавання " +"цього вузла. Назву вузла слід вказувати повністю." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" -msgstr "digitalSignature" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" -msgstr "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" +"Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично " +"оновити на сервері DNS, вбудованому до FreeIPA, IP-адресу клієнта. Захист " +"оновлення буде забезпечено за допомогою GSS-TSIG. Для оновлення буде " +"використано IP-адресу з’єднання LDAP IPA, якщо не вказано іншу адресу за " +"допомогою параметра «dyndns_iface»." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" -msgstr "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"ЗАУВАЖЕННЯ: на застарілих системах (зокрема RHEL 5) для надійної роботи у " +"цьому режимі типову область дії Kerberos має бути належним чином визначено " +"у /etc/krb5.conf" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" -msgstr "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" +"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " +"<emphasis>ipa_dyndns_update</emphasis>, користувачам слід переходити на нову " +"назву, <emphasis>dyndns_update</emphasis>, у файлі налаштувань." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" -msgstr "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (ціле число)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" -msgstr "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" +"TTL, до якого буде застосовано клієнтський запис DNS під час його оновлення. " +"Якщо dyndns_update має значення false, цей параметр буде проігноровано. " +"Перевизначає TTL на боці сервера, якщо встановлено адміністратором." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" -msgstr "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" +"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " +"<emphasis>ipa_dyndns_ttl</emphasis>, користувачам слід переходити на нову " +"назву, <emphasis>dyndns_ttl</emphasis>, у файлі налаштувань." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" -msgstr "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Типове значення: 1200 (секунд)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" -msgstr "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -"Для спеціальних випадків можна також використати числове значення у " -"діапазоні 32-бітових цілих чисел без знаку." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" -msgstr "Приклад: <KU>digitalSignature,keyEncipherment" +"Необов'язковий. Застосовний, лише якщо dyndns_update має значення true. " +"Виберіть інтерфейс або список інтерфейсів, чиї IP-адреси має бути " +"використано для динамічних оновлень DNS. Спеціальне значення <quote>*</" +"quote> означає, що слід використовувати IP-адреси з усіх інтерфейсів." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" -msgstr "<EKU>розширене-використання-ключа" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" +"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " +"<emphasis>ipa_dyndns_iface</emphasis>, користувачам слід переходити на нову " +"назву, <emphasis>dyndns_iface</emphasis>, у файлі налаштувань." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -"За допомогою цього параметра можна визначити значення розширеного " -"використання ключа, які повинен містити сертифікат. У списку значень, " -"відокремлених комами, можна використовувати такі значення:" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" -msgstr "serverAuth" +"Типове значення: використовувати IP-адреси інтерфейсу, який використовується " +"для з’єднання LDAP IPA" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" -msgstr "clientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "Приклад: dyndns_iface = em1, vnet1, vnet2" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" -msgstr "codeSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" +msgstr "dyndns_auth (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" -msgstr "emailProtection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" +"Визначає, чи має використовувати допоміжний засіб nsupdate розпізнавання GSS-" +"TSIG для безпечних оновлень за допомогою сервера DNS, незахищені оновлення " +"можна надсилати встановленням для цього параметра значення «none»." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" -msgstr "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" +msgstr "Типове значення: GSS-TSIG" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" -msgstr "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" -msgstr "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "Вмикає сайти DNS — визначення служб на основі адрес." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" -msgstr "pkinit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" +"Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо " +"пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку " +"спробує визначення на основі адрес за допомогою запиту, що містить " +"\"_location.hostname.example.com\", а потім повертається до традиційного " +"визначення SRV. Якщо визначення на основі адреси буде успішним, сервери IPA, " +"виявлені на основі визначення за адресою, вважатимуться основним серверами, " +"а сервери IPA, виявлені за допомогою традиційного визначення SRV, " +"вважатимуться резервними серверами." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" -msgstr "msScLogin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (ціле число)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -"Розширені використання ключа, які не потрапили до вказаного вище списку, " -"можна визначити за допомогою їхнього OID у точково-десятковому позначенні." +"Визначає, наскільки часто серверний модуль має виконувати періодичні " +"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час " +"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не " +"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" -msgstr "Приклад: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" -msgstr "<SAN>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" +"Визначає, чи слід явним чином оновлювати запис PTR під час оновлення записів " +"DNS клієнта. Застосовується, лише якщо значенням dyndns_update буде true." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -"Для сумісності із використанням Kerberos MIT цей параметр встановлюватиме " -"відповідність реєстраційних даних Kerberos у PKINIT або AD NT Principal SAN " -"так, як це робить <SAN:Principal>." +"Значенням цього параметра у більшості розгорнутих систем IPA має бути False, " +"оскільки сервер IPA створює записи PTR автоматично після зміни у записах " +"переспрямовування." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "Приклад: <SAN>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Типове значення: False (вимкнено)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" -msgstr "<SAN:Principal>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -"Встановити відповідність реєстраційних даних Kerberos у PKINIT або AD NT " -"Principal SAN." +"Визначає, чи слід у програмі nsupdate типово використовувати TCP для обміну " +"даними з сервером DNS." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" -msgstr "Приклад: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" -msgstr "<SAN:ntPrincipalName>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" +msgstr "dyndns_server (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -"Встановити відповідність реєстраційних даних Kerberos з AD NT Principal SAN." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" -msgstr "Приклад: <SAN:ntPrincipalName>.*@MY.AD.REALM" +"Сервер DNS, який слід використовувати для виконання оновлення DNS. У " +"більшості конфігурацій рекомендуємо не встановлювати значення для цього " +"параметра." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" -msgstr "<SAN:pkinit>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" +"Встановлення значення для цього параметра потрібне для середовищ, де сервер " +"DNS відрізняється від сервера профілів." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." -msgstr "Встановити відповідність реєстраційних даних Kerberos з SAN PKINIT." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" +"Будь ласка, зауважте, що цей параметр буде використано лише для резервних " +"спроб, якщо попередні спроби із використанням автовиявлення завершаться " +"невдало." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" -msgstr "Приклад: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" +msgstr "Типове значення: немає (надати nsupdate змогу вибирати сервер)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" -msgstr "<SAN:dotted-decimal-oid>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" +msgstr "dyndns_update_per_family (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -"Отримати значення компонента SAN otherName, яке задано OID у крапково-" -"десятковому позначенні, обробити його як рядок і спробувати встановити " -"відповідність формальному виразу." +"Оновлення DNS, типово, виконується у два кроки — оновлення IPv4, а потім " +"оновлення IPv6. Іноді бажаним є виконання оновлення IPv4 і IPv6 за один крок." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" +msgstr "ipa_deskprofile_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з " +"профілями станції (Desktop Profile) об’єктів." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" -msgstr "Приклад: <SAN:1.2.3.4>test" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" +msgstr "Типове значення: використання базової назви домену" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" -msgstr "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" -"Виконати спробу встановлення двійкової відповідності блоку у кодуванні " -"base64 із усіма компонентами SAN otherName. За допомогою цього параметра " -"можна встановлювати відповідність із нетиповими компонентами otherName із " -"особливими кодуваннями, які не можна обробляти як рядки." +"Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з " +"HBAC об’єктів." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" -msgstr "Приклад: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" -msgstr "<SAN:rfc822Name>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "Застарілий. Скористайтеся замість нього ldap_host_search_base." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." -msgstr "Встановити відповідність значення SAN rfc822Name." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" -msgstr "Приклад: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку карт " +"користувачів SELinux." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" -msgstr "<SAN:dNSName>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." -msgstr "Встановити відповідність значення SAN dNSName." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку надійних доменів." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" -msgstr "Приклад: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Типове значення: значення <emphasis>cn=trusts,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" -msgstr "<SAN:x400Address>рядок-base64" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." -msgstr "Встановити двійкову відповідність значення SAN x400Address." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку основного " +"об’єкта домену." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" -msgstr "Приклад: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" +"Типове значення: значення виразу <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" -msgstr "<SAN:directoryName>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 -msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -"Встановити відповідність значення SAN directoryName. Цього параметра " -"стосуються ті самі коментарі, які було вказано для параметрів <ISSUER> " -"та <SUBJECT>." +"Необов’язковий. Використати вказаний рядок як основу пошуку контейнерів " +"перегляду." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" -msgstr "Приклад: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" +"Типове значення: значення <emphasis>cn=views,cn=accounts,%basedn</emphasis>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" -msgstr "<SAN:ediPartyName>рядок-base64" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" +"Назва області дії Kerberos. Є необов’язковою, типовим значенням є значення " +"«ipa_domain»." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." -msgstr "Встановити двійкову відповідність значення SAN ediPartyName." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" +"Назва області дії Kerberos має особливе значення у IPA: цю назву буде " +"перетворено у основний DN для виконання дій LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" -msgstr "Приклад: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" -msgstr "<SAN:uniformResourceIdentifier>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" +"Абсолютний шлях до каталогу, у якому SSSD має зберігати фрагменти " +"налаштувань Kerberos." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." -msgstr "Встановити відповідність значення SAN uniformResourceIdentifier." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" +"Щоб вимкнути створення фрагментів налаштувань, встановіть для параметра " +"значення «none»." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" -msgstr "Приклад: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" +"Типове значення: не встановлено (підкаталог krb5.include.d каталогу pubconf " +"SSSD)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" -msgstr "<SAN:iPAddress>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "ipa_deskprofile_refresh (ціле число)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." -msgstr "Встановити відповідність значення SAN iPAddress." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" +"Проміжок часу між послідовними пошуками правил профілів станції (Desktop " +"Profile) щодо сервера IPA. Зміна може зменшити час затримки та навантаження " +"на сервер IPA, якщо протягом короткого періоду часу надходить багато запитів " +"щодо профілів станції." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" -msgstr "Приклад: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" +msgstr "Типове значення: 5 (секунд)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" -msgstr "<SAN:registeredID>формальний-вираз" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "ipa_deskprofile_request_interval (ціле число)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -"Встановити значення SAN registeredID у форматі точково-десяткового рядка." +"Час між пошуками у правилах профілів станцій на сервері IPA, якщо за " +"останнім запитом не повернуто жодного правила." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" -msgstr "Приклад: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" +msgstr "Типове значення: 60 (хвилин)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" +"Проміжок часу між послідовними пошуками правил HBAC щодо сервера IPA. Зміна " +"може зменшити час затримки та навантаження на сервер IPA, якщо протягом " +"короткого періоду часу надходить багато запитів щодо керування доступом." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" -msgstr "ПРАВИЛО ПРИВʼЯЗУВАННЯ" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (ціле число)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -"Правило прив'язки використовується для пов'язування сертифіката із одним або " -"декількома обліковими записами. Далі, смарткарткою із сертифікатом та " -"відповідним закритим ключем можна скористатися для розпізнавання за одним з " -"цих облікових записів." +"Проміжок часу між послідовними пошуками у картах SELinux щодо сервера IPA. " +"Зміна може зменшити час затримки та навантаження на сервер IPA, якщо " +"протягом короткого періоду часу надходить багато запитів щодо входу " +"користувача до системи." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -"У поточній версії SSSD на базовому рівні підтримує пошук даних користувачів " -"лише у LDAP (винятком є лише засіб надання проксі, який у цьому контексті є " -"недоречним). Через це правило прив'язки засновано на синтаксисі фільтрування " -"пошуку LDAP з шаблонами для додавання вмісту сертифікатів до фільтра. " -"Очікується, що цей фільтр міститиме лише специфічні дані, потрібні для " -"прив'язки, яку функція виклику вбудовуватиме до іншого фільтра для виконання " -"справжнього пошуку. Через це рядок фільтрування має починатися із " -"завершуватися «(» і «)», відповідно." +"Цей параметр буде встановлено засобом встановлення IPA (ipa-server-install) " +"автоматично, він визначає, чи запущено SSSD на сервері IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -"Загалом, рекомендується використовувати атрибути з сертифіката і додати їх " -"до спеціальних атрибутів об'єкта користувача LDAP. Наприклад, можна " -"скористатися атрибутом «altSecurityIdentities» у AD або атрибутом " -"«ipaCertMapData» для IPA." +"На сервері IPA SSSD шукатиме записи користувачів і груп із довірених доменів " +"безпосередньо, хоча на клієнті SSSD надсилатиме запит на сервер IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -"Бажаним шляхом є читання із сертифіката специфічних для користувача даних, " -"наприклад адреси електронної пошти, і пошук цих даних на сервері LDAP. " -"Причиною є те, що специфічні для користувача дані у LDAP можу бути з різних " -"причин змінено, що розірве прив'язку. З іншого боку, якщо скористатися " -"бажаним шляхом, розірвати прив'язку буде важко." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Зауваження: у поточній версії має бути виконано декілька умов, якщо SSSD " +"працює на сервері IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -"Цей шаблон додасть повний DN видавця, перетворений на рядок відповідно до " -"RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN " -"стоїть останнім), буде використано параметр із префіксом «_x500»." +"Параметр <quote>ipa_server</quote> має бути налаштовано так, щоб він " +"вказував на сам сервер IPA. Це типово робить засіб встановлення IPA, тому " +"зміни вручну є зайвими." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -"У варіантах перетворення, назви яких починаються з «ad_», " -"використовуватимуться назви атрибутів, які використовуються AD, наприклад " -"«S», замість «ST»." +"Не слід змінювати значення параметра <quote>full_name_format</quote> для " +"того, щоб лише виводити короткі імена користувачів з довірених доменів." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 -msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -"У варіантах перетворення, назви яких починаються з «nss_», " -"використовуватимуться назви атрибутів, які використовуються NSS." +"Адреса автоматичного монтування, яку буде використовувати цей клієнт IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" +msgstr "Типове значення: адреса з назвою \"default\"" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" +msgstr "ПЕРЕГЛЯДИ і ПЕРЕВИЗНАЧЕННЯ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 -msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." -msgstr "" -"Типовим варіантом перетворення є «nss», тобто назви атрибутів відповідно до " -"NSS і упорядковування за LDAP/RFC 4514." +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." +msgstr "Клас об’єктів для контейнерів перегляду." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" -msgstr "" -"Приклад: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" +msgstr "Типове значення: nsContainer" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" -msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 -msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." -msgstr "" -"Цей шаблон додасть повний DN призначення, перетворений на рядок відповідно " -"до RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN " -"стоїть останнім), буде використано параметр із префіксом «_x500»." +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." +msgstr "Назва атрибута, у якому зберігається назва перегляду." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 -msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" -"Приклад: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" +msgstr "Типове значення: cn" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" -msgstr "{cert[!(bin|base64)]}" +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" +msgstr "ipa_override_object_class (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 -msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." -msgstr "" -"Цей шаблон додасть увесь сертифікат у кодуванні DER як рядок до фільтра " -"пошуку. Залежно від параметра перетворення, двійковий сертифікат або буде " -"преетворено на екрановану послідовність шістнадцяткових чисел у форматі " -"«\\xx», або на код base64. Типовим варіантом є екранована шістнадцяткова " -"послідовність, її може бути, наприклад, використано з атрибутом LDAP " -"«userCertificate;binary»." +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." +msgstr "Клас об’єктів для об’єктів перевизначення" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" -msgstr "Приклад: (userCertificate;binary={cert!bin})" +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" +msgstr "Типове значення: ipaOverrideAnchor" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" -msgstr "{subject_principal[.short_name]}" +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#: sssd-ipa.5.xml:643 msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" -"Цей шаблон додасть реєстраційні дані Kerberos, які буде взято або з SAN, " -"який використовується pkinit, або з реєстраційних даних AD. Компонент " -"«short_name» відповідає першій частині реєстраційного запису до символу «@»." +"Назва атрибута, у якому зберігається посилання на початковий об’єкт на " +"віддаленому домені." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 -msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" -msgstr "" -"Приклад: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" +msgstr "Типове значення: ipaAnchorUUID" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" -msgstr "{subject_pkinit_principal[.short_name]}" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 +#: sssd-ipa.5.xml:656 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -"Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що " -"використовується pkinit. Компонент «short_name» відповідає першій частині " -"реєстраційного запису до символу «@»." +"Назва класу об’єктів для перевизначень користувачів. Використовується для " +"визначення того, чи знайдений об’єкт перевизначення пов’язано з користувачем " +"або групою." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 -msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" -msgstr "" -"Приклад: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" +msgstr "Перевизначення користувачів можуть містити атрибути, задані" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" -msgstr "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" +msgstr "ldap_user_name" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." -msgstr "" -"Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що " -"використовується AD. Компонент «short_name» відповідає першій частині " -"реєстраційного запису до символу «@»." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" +msgstr "ldap_user_uid_number" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" -msgstr "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" +msgstr "ldap_user_gid_number" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 -msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." -msgstr "" -"Цей шаблон додасть рядок, який зберігається у компоненті rfc822Name SAN, " -"типово, адресу електронної пошти. Компонент «short_name» відповідає першій " -"частині адреси до символу «@»." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" +msgstr "ldap_user_gecos" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" +msgstr "ldap_user_home_directory" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" +msgstr "ldap_user_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" +msgstr "ldap_user_ssh_public_key" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 -msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" -msgstr "" -"Приклад: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" +msgstr "Типове значення: ipaUserOverride" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" -msgstr "{subject_dns_name[.short_name]}" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (рядок)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#: sssd-ipa.5.xml:696 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" -"Цей шаблон додасть рядок, який зберігається у компоненті dNSName SAN, " -"типово, повну назву вузла. Компонент «short_name» відповідає першій частині " -"назви до першого символу «.»." +"Назва класу об’єктів для перевизначень груп. Використовується для визначення " +"того, чи знайдений об’єкт перевизначення пов’язано з користувачем або групою." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" -msgstr "" -"Приклад: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" +msgstr "Перевизначення груп можуть містити атрибути, задані" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" -msgstr "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "ldap_group_name" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" +msgstr "ldap_group_gid_number" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" +msgstr "Типове значення: ipaGroupOverride" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -"Цей шаблон додає рядок, який зберігається у компоненті " -"uniformResourceIdentifier SAN." +"SSSD може обробляти перегляди та перевизначення, які пропонуються FreeIPA " +"4.1 та новішими версіями. Оскільки усі шляхи і класи об’єктів зафіксовано на " +"боці сервера, в основному, немає потреби у додатковому налаштовуванні. Для " +"повноти, усі відповідні параметри наведено у списку разом з їхніми типовими " +"значеннями. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" -msgstr "Приклад: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" +msgstr "СЛУЖБА ПІДДОМЕНІВ" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" -msgstr "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" +"Поведінка інструмента надання даних піддоменів IPA залежить від того, у який " +"спосіб його налаштовано: явний чи неявний." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." -msgstr "Цей шаблон додає рядок, який зберігається у компоненті iPAddress SAN." +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" +"Якщо у розділі домену sssd.conf буде знайдено запис параметра " +"«subdomains_provider = ipa», інструмент надання даних піддоменів IPA " +"налаштовано явно, отже всі запити піддоменів надсилатимуться серверу IPA, " +"якщо це потрібно." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" -msgstr "Приклад: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" +"Якщо у розділі домену sssdconf не встановлено параметр " +"«subdomains_provider», але встановлено параметр «id_provider = ipa», " +"інструмент надання даних піддоменів IPA налаштовано неявним чином. У цьому " +"випадку спроба запиту щодо піддомену зазнає невдачі і вказуватиме на те, що " +"на сервері не передбачено піддоменів, тобто його не налаштовано на довіру, " +"отже інструмент надання даних піддоменів IPA вимкнено. Щойно мине година або " +"відкриється доступ до інструмента надання даних IPA, інструмент надання " +"даних піддоменів буде знову увімкнено." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" -msgstr "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "НАЛАШТОВУВАННЯ ДОВІРЕНИХ ДОМЕНІВ" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -"Цей шаблон додає значення, яке зберігається у компоненті x400Address SAN як " -"послідовність екранованих шістнадцяткових чисел." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" -msgstr "Приклад: (attr:binary={subject_x400_address})" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"Для довіреного домену можна також встановити деякі параметри налаштовування. " +"Налаштовування довіреного домену можна виконати за допомогою підрозділу, " +"приклад: <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Цей шаблон додасть рядок DN значення, яке зберігається у компоненті " -"directoryName SAN." +"Крім того, деякі параметри можна встановити у батьківському домені і " +"успадкувати для довіреного домену за допомогою параметра " +"<quote>subdomain_inherit</quote>. Щоб дізнатися більше, ознайомтеся зі " +"сторінкою підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" -msgstr "Приклад: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" +"Перелік параметрів налаштовування для довіреного домену залежить від того, " +"як ви налаштували SSSD на сервері IPA або клієнт IPA." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" -msgstr "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "ПАРАМЕТРИ, ЯКІ МОЖНА НАЛАШТУВАТИ НА ОСНОВНИХ СЕРВЕРАХ IPA" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -"Цей шаблон додає значення, яке зберігається у компоненті ediPartyName SAN як " -"послідовність екранованих шістнадцяткових чисел." +"У розділі піддомену на основному сервері IPA можна вказати такі параметри:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" -msgstr "Приклад: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" +msgstr "ad_server" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" -msgstr "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" +msgstr "ad_backup_server" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" +msgstr "ad_site" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" +msgstr "ldap_search_base" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "ПАРАМЕТРИ, ЯКІ МОЖНА НАЛАШТУВАТИ НА КЛІЄНТАХ IPA" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." -msgstr "" -"Цей шаблон додає OID, який зберігається у компоненті registeredID SAN у " -"форматі точково-десяткового рядка." +"The following options can be set in a subdomain section on an IPA client:" +msgstr "У розділі піддомену на клієнті IPA можна вказати такі параметри:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" -msgstr "Приклад: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" +"Зауважте, що якщо встановлено обидва параметри, буде враховано лише " +"<quote>ad_server</quote>." #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#: sssd-ipa.5.xml:821 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -"Шаблони для додавання даних сертифікатів до фільтра пошуку засновано на " -"рядках форматування у стилі Python. Воли складаються з ключового слова у " -"фігурних дужках із додатковим підкомпонентом-специфікатором, відокремленим " -"«.», або додатковим параметром перетворення-форматування, відокремленим «!». " -"Дозволені значення: <placeholder type=\"variablelist\" id=\"0\"/>" +"Оскільки будь-який запит щодо ідентифікації користувача або групи від " +"довіреного домену, який започатковано клієнтом IPA, обробляється сервером " +"IPA, параметри <quote>ad_server</quote> і <quote>ad_site</quote> впливають " +"лише на те, який з DC AD виконуватиме процедуру розпізнавання. Зокрема, " +"адреси, які визначено за цими списками, буде записано до файлів " +"<quote>kdcinfo</quote>, читання яких виконуватиметься додатком пошуку " +"Kerberos. Будь ласка, зверніться до сторінки підручника щодо <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку Kerberos." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" -msgstr "СПИСОК ДОМЕНІВ" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " +"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише параметри доступу, специфічні для засобу " +"ipa." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -"Якщо список доменів не є порожнім, записи користувачів, прив'язані до " -"заданого сертифіката, шукаються не лише у локальному домені, а і у доменах " -"зі списку, якщо вони відомі SSSD. Домени, які не відомі SSSD, буде " -"проігноровано." +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" -msgstr "sssd-ipa" +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" -msgstr "Модуль надання даних IPA SSSD" +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "Модуль надання даних Active Directory SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу керування доступом AD " +"для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" +"Засіб надання даних AD є модулем, який використовується для встановлення " +"з'єднання із сервером Active Directory. Для роботи цього засобу надання " +"даних потрібно, щоб комп'ютер було долучено до домену AD і щоб було " +"доступним сховище ключів. Обмін даними із модулем відбувається за допомогою " +"каналу із шифруванням GSSAPI. Із засобом надання даних AD не слід " +"використовувати параметри SSL/TLS, оскільки їх перекриває використання " +"Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -"На цій сторінці довідника описано налаштування засобу керування доступом IPA " -"для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " -"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"У засобі надання даних AD передбачено підтримку встановлення з’єднання з " +"Active Directory 2008 R2 або пізнішою версією. Робота з попередніми версіями " +"можлива, але не підтримується." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#: sssd-ad.5.xml:48 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -"Інструмент надання даних IPA — модуль, який використовується для " -"встановлення з’єднання з сервером IPA. (Інформацію щодо серверів IPA можна " -"знайти на сайті freeipa.org.) Цей інструмент надання доступу потребує " -"включення комп’ютера до домену IPA. Налаштування майже повністю " -"автоматизовано, дані для нього отримуються безпосередньо з сервера." +"Засобом надання даних AD можна скористатися для отримання даних щодо " +"користувачів і розпізнавання користувачів за допомогою довірених доменів. У " +"поточній версії передбачено підтримку використання лише довірених доменів з " +"того самого лісу. Крім того автоматично визначаються сервери із довірених " +"доменів." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 +#: sssd-ad.5.xml:54 msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " "provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -"Засіб надання даних IPA уможливлює для SSSD використання засобу надання " -"даних профілів <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"Засіб надання даних AD уможливлює для SSSD використання засобу надання даних " +"профілів <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> та засобу надання даних " "розпізнавання <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> з оптимізацією для середовищ IPA. " -"Засіб надання даних IPA приймає ті самі параметри, які використовуються " -"засобами надання даних sssd-ldap та sssd-krb5, із деякими виключеннями. " -"Втім, встановлювати ці параметри не обов'язково і не рекомендовано." +"<manvolnum>5</manvolnum> </citerefentry> з оптимізацією для середовищ Active " +"Directory. Засіб надання даних AD приймає ті самі параметри, які " +"використовуються засобами надання даних sssd-ldap та sssd-krb5, із деякими " +"виключеннями. Втім, встановлювати ці параметри не обов'язково і не " +"рекомендовано." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 +#: sssd-ad.5.xml:69 msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " +"The AD provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -"Засіб надання даних IPA в основному копіює типові параметри традиційних " +"Засіб надання даних AD в основному копіює типові параметри традиційних " "засобів надання даних ldap і krb5 із деякими виключенням. Відмінності " "наведено у розділі <quote>ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ</quote>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 +#: sssd-ad.5.xml:74 msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -"Як інструмент надання доступу, інструмент надання даних IPA для керування " -"доступом використовує правила HBAC (host-based access control або керування " -"доступом на основі даних щодо вузлів). Докладнішу інформацію щодо HBAC можна " -"отримати на сайті freeipa.org. У налаштуванні керування доступом на боці " -"клієнта немає потреби." +"Інструментом надання даних AD також можна скористатися для доступу, зміни " +"паролів запуску від імені користувача (sudo) та використання autofs. У " +"налаштовуванні керування доступом на боці клієнта немає потреби." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#: sssd-ad.5.xml:79 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" "quote>." msgstr "" -"Якщо у sssd.conf вказано <quote>auth_provider=ipa</quote> або " -"<quote>access_provider=ipa</quote>, для id_provider також має бути вказано " -"<quote>ipa</quote>." +"Якщо у sssdconf вказано <quote>auth_provider=ad</quote> або " +"<quote>access_provider=ad</quote>, для id_provider також має бути вказано " +"<quote>ad</quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"ldap_id_mapping = False\n" +" " msgstr "" -"Інструмент надання даних IPA використовуватиме відповідач PAC, якщо квитки " -"Kerberos користувачів з довірених областей містять PAC. Для полегшення " -"налаштовування відповідач PAC запускається автоматично, якщо налаштовано " -"інструмент надання даних ідентифікаторів IPA." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" -msgstr "ipa_domain (рядок)" +"ldap_id_mapping = False\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -"Визначає назву домену IPA. Є необов’язковим. Якщо не вказано, буде " -"використано назву домену з налаштувань." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" -msgstr "ipa_server, ipa_backup_server (рядок)" +"Типово, модуль надання даних AD виконуватиме прив’язку до значень UID та GID " +"з параметра objectSID у Active Directory. Докладніший опис наведено у " +"розділі «ВСТАНОВЛЕННЯ ВІДПОВІДНОСТІ ІДЕНТИФІКАТОРІВ». Якщо вам потрібно " +"вимкнути встановлення відповідності ідентифікаторів і покладатися на " +"атрибути POSIX, визначені у Active Directory, вам слід встановити " +"<placeholder type=\"programlisting\" id=\"0\"/> Якщо має бути використано " +"атрибути POSIX, рекомендуємо з міркувань швидкодії виконувати також " +"реплікацію атрибутів до загального каталогу. Якщо виконується реплікація " +"атрибутів POSIX, SSSD намагатиметься знайти домен числового ідентифікатора " +"із запиту за допомогою загального каталогу і шукатиме лише цей домен. І " +"навпаки, якщо реплікація атрибутів POSIX до загального каталогу не " +"відбувається, SSSD доводиться шукати на усіх доменах у лісі послідовно. Будь " +"ласка, зауважте, що для пришвидшення пошуку без доменів також може бути " +"корисним використання параметра <quote>cache_first</quote>. Зауважте, що " +"якщо у загальному каталозі є лише підмножина атрибутів POSIX, у поточній " +"версії невідтворювані атрибути з порту LDAP не читатимуться." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -"Впорядкований за пріоритетом список IP-адрес або назв вузлів, відокремлених " -"комами, серверів IPA, з якими має встановити з’єднання SSSD. Докладніші " -"відомості щодо резервних серверів викладено у розділі «РЕЗЕРВ». Цей список є " -"необов’язковим, якщо увімкнено автоматичне виявлення служб. Докладніші " -"відомості щодо автоматичного виявлення служб наведено у розділі «ПОШУК " -"СЛУЖБ»." +"Дані щодо користувачів, груп та інших записів, які обслуговуються SSSD, у " +"модулі надання даних AD завжди обробляються із врахуванням регістру символів " +"для забезпечення сумісності з реалізацією Active Directory у LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" -msgstr "ipa_hostname (рядок)" +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:126 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -"Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не " -"відповідає повній назві, що використовується доменом IPA для розпізнавання " -"цього вузла. Назву вузла слід вказувати повністю." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" -msgstr "dyndns_update (булеве значення)" +"Визначає назву домену Active Directory. Є необов’язковим. Якщо не вказано, " +"буде використано назву домену з налаштувань." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:131 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -"Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично " -"оновити на сервері DNS, вбудованому до FreeIPA, IP-адресу клієнта. Захист " -"оновлення буде забезпечено за допомогою GSS-TSIG. Для оновлення буде " -"використано IP-адресу з’єднання LDAP IPA, якщо не вказано іншу адресу за " -"допомогою параметра «dyndns_iface»." +"Для забезпечення належної роботи цей параметр слід вказати у форматі запису " +"малими літерами повної версії назви домену Active Directory." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#: sssd-ad.5.xml:136 msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -"ЗАУВАЖЕННЯ: на застарілих системах (зокрема RHEL 5) для надійної роботи у " -"цьому режимі типову область дії Kerberos має бути належним чином визначено " -"у /etc/krb5.conf" +"Скорочена назва домену (також відома як назва NetBIOS або проста назва) " +"автоматично визначається засобами SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "ad_enabled_domains (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:146 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " -"<emphasis>ipa_dyndns_update</emphasis>, користувачам слід переходити на нову " -"назву, <emphasis>dyndns_update</emphasis>, у файлі налаштувань." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" -msgstr "dyndns_ttl (ціле число)" +"Список дозволених доменів Active Directory, відокремлених комами. Якщо " +"вказано, SSSD ігноруватиме будь-які домени, яких немає у списку цього " +"параметра. Якщо значення параметра не встановлено, доступними будуть усі " +"домени з лісу AD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -"TTL, до якого буде застосовано клієнтський запис DNS під час його оновлення. " -"Якщо dyndns_update має значення false, цей параметр буде проігноровано. " -"Перевизначає TTL на боці сервера, якщо встановлено адміністратором." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 +#: sssd-ad.5.xml:152 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " -"<emphasis>ipa_dyndns_ttl</emphasis>, користувачам слід переходити на нову " -"назву, <emphasis>dyndns_ttl</emphasis>, у файлі налаштувань." +"Для належного функціонування значення цього параметра має бути вказано " +"малими літерами у форматі повної назви домену Active Directory. Приклад: " +"<placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" -msgstr "Типове значення: 1200 (секунд)" +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" +"Скорочена назва домену (також відома як назва NetBIOS або проста назва) " +"автоматично визначається засобами SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" -msgstr "dyndns_iface (рядок)" +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 +#: sssd-ad.5.xml:173 msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -"Необов'язковий. Застосовний, лише якщо dyndns_update має значення true. " -"Виберіть інтерфейс або список інтерфейсів, чиї IP-адреси має бути " -"використано для динамічних оновлень DNS. Спеціальне значення <quote>*</" -"quote> означає, що слід використовувати IP-адреси з усіх інтерфейсів." +"Список назв тих вузлів серверів AD, відокремлених комами, з якими SSSD має " +"встановлювати з'єднання у порядку пріоритетності. Щоб дізнатися більше про " +"резервне використання серверів, ознайомтеся із розділом <quote>РЕЗЕРВ</" +"quote>." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 +#: sssd-ad.5.xml:180 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " -"<emphasis>ipa_dyndns_iface</emphasis>, користувачам слід переходити на нову " -"назву, <emphasis>dyndns_iface</emphasis>, у файлі налаштувань." +"Цей список є необов’язковим, якщо увімкнено автоматичне виявлення служб. " +"Докладніші відомості щодо автоматичного виявлення служб наведено у розділі " +"«ПОШУК СЛУЖБ»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:185 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -"Типове значення: використовувати IP-адреси інтерфейсу, який використовується " -"для з’єднання LDAP IPA" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" -msgstr "Приклад: dyndns_iface = em1, vnet1, vnet2" +"Зауваження: довірені домени завжди автоматично визначають сервери, навіть " +"якщо основний сервер явним чином визначено у параметрі ad_server." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" -msgstr "dyndns_auth (рядок)" +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:196 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -"Визначає, чи має використовувати допоміжний засіб nsupdate розпізнавання GSS-" -"TSIG для безпечних оновлень за допомогою сервера DNS, незахищені оновлення " -"можна надсилати встановленням для цього параметра значення «none»." +"Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не " +"відповідає повній назві, що використовується доменом Active Directory для " +"розпізнавання цього вузла." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" -msgstr "Типове значення: GSS-TSIG" +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"Це поле використовується для визначення основної назви вузла, яка " +"використовуватиметься у таблиці ключів. Ця назва має відповідати назві " +"вузла, для якого випущено таблицю ключів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" -msgstr "ipa_enable_dns_sites (булеве значення)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." -msgstr "Вмикає сайти DNS — визначення служб на основі адрес." +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:217 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" "Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо " "пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку " -"спробує визначення на основі адрес за допомогою запиту, що містить " -"\"_location.hostname.example.com\", а потім повертається до традиційного " -"визначення SRV. Якщо визначення на основі адреси буде успішним, сервери IPA, " -"виявлені на основі визначення за адресою, вважатимуться основним серверами, " -"а сервери IPA, виявлені за допомогою традиційного визначення SRV, " -"вважатимуться резервними серверами." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" -msgstr "dyndns_refresh_interval (ціле число)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 -msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." -msgstr "" -"Визначає, наскільки часто серверний модуль має виконувати періодичні " -"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час " -"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не " -"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true." +"спробує визначити сервер Active Directory для встановлення з’єднання на " +"основі використання визначення сайтів Active Directory і повертається до " +"визначення за записами SRV DNS, якщо сайт AD не буде знайдено. Налаштування " +"SRV DNS, зокрема домен пошуку, використовуються також під час визначення " +"сайтів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" -msgstr "dyndns_update_ptr (булеве значення)" +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:236 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -"Визначає, чи слід явним чином оновлювати запис PTR під час оновлення записів " -"DNS клієнта. Застосовується, лише якщо значенням dyndns_update буде true." +"Цей параметр визначає фільтр керування доступом LDAP, якому має відповідати " +"запис користувача для того, щоб йому було надано доступ. Будь ласка, " +"зауважте, що слід явним чином встановити для параметра «access_provider» " +"значення «ad», щоб цей параметр почав діяти." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 +#: sssd-ad.5.xml:244 msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -"Значенням цього параметра у більшості розгорнутих систем IPA має бути False, " -"оскільки сервер IPA створює записи PTR автоматично після зміни у записах " -"переспрямовування." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" -msgstr "Типове значення: False (вимкнено)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" -msgstr "dyndns_force_tcp (булеве значення)" +"У параметрі також передбачено підтримку визначення різних фільтрів для " +"окремих доменів або дерев. Цей розширений фільтр повинен мати такий формат: " +"«КЛЮЧОВЕ СЛОВО:НАЗВА:ФІЛЬТР». Набір підтримуваних ключових слів: «DOM», " +"«FOREST» або ключове слово слід пропустити." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:252 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -"Визначає, чи слід у програмі nsupdate типово використовувати TCP для обміну " -"даними з сервером DNS." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" -msgstr "dyndns_server (рядок)" +"Якщо вказано ключове слово «DOM» або ключового слова не вказано, «НАЗВА» " +"визначає домен або піддомен, до якого застосовується фільтрування. Якщо " +"ключовим словом є «FOREST», фільтр застосовується до усіх доменів з лісу, " +"вказаного значенням «НАЗВА»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#: sssd-ad.5.xml:260 msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -"Сервер DNS, який слід використовувати для виконання оновлення DNS. У " -"більшості конфігурацій рекомендуємо не встановлювати значення для цього " -"параметра." +"Декілька фільтрів можна відокремити символом «?», подібно до способу " +"визначення фільтрів у базах для пошуку." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:265 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -"Встановлення значення для цього параметра потрібне для середовищ, де сервер " -"DNS відрізняється від сервера профілів." +"Визначення участі у вкладених групах має відбуватися із використанням " +"спеціалізованого OID <quote>:1.2.840.113556.1.4.1941:</quote>, окрім повних " +"синтаксичних конструкцій DOM:domain.example.org:, щоб засіб обробки не " +"намагався інтерпретувати символи двокрапки, пов'язані з OID. Якщо ви не " +"використовуєте цей OID, вкладена участь у групах не визначатиметься. " +"Ознайомтеся із прикладом використання, який наведено нижче, і цим " +"посиланням, щоб дізнатися більше про OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\">[MS-ADTS] Правила встановлення " +"відповідності у LDAP</ulink>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:278 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -"Будь ласка, зауважте, що цей параметр буде використано лише для резервних " -"спроб, якщо попередні спроби із використанням автовиявлення завершаться " -"невдало." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" -msgstr "Типове значення: немає (надати nsupdate змогу вибирати сервер)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" -msgstr "dyndns_update_per_family (булеве значення)" +"Завжди використовується відповідник з найвищим рівнем відповідності. " +"Наприклад, якщо визначено фільтрування для домену, учасником якого є " +"користувач, і загальне фільтрування, буде використано фільтрування для " +"окремого домену. Якщо буде виявлено декілька відповідників з однаковою " +"специфікацією, використовуватиметься лише перший з них." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -"Оновлення DNS, типово, виконується у два кроки — оновлення IPv4, а потім " -"оновлення IPv6. Іноді бажаним є виконання оновлення IPv4 і IPv6 за один крок." +"# застосувати фільтрування лише для домену з назвою dom1:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# застосувати фільтрування лише для домену з назвою dom2:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# застосувати фільтрування лише для лісу з назвою EXAMPLE.COM:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# застосувати фільтрування до учасника вкладеної групи у dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" -msgstr "ipa_deskprofile_search_base (рядок)" +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#: sssd-ad.5.xml:311 msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з " -"профілями станції (Desktop Profile) об’єктів." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" -msgstr "Типове значення: використання базової назви домену" +"Визначає сайт AD, з яким має встановлювати з’єднання клієнт. Якщо не буде " +"вказано, виконуватиметься спроба автоматичного визначення сайта AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" -msgstr "ipa_hbac_search_base (рядок)" +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з " -"HBAC об’єктів." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" -msgstr "ipa_host_search_base (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." -msgstr "Застарілий. Скористайтеся замість нього ldap_host_search_base." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" -msgstr "ipa_selinux_search_base (рядок)" +"Типово, SSSD для отримання даних користувачів з надійних (довірених) доменів " +"спочатку встановлює з’єднання із загальним каталогом (Global Catalog). Якщо " +"ж отримати дані не вдасться, система використовує порт LDAP для отримання " +"даних щодо участі у групах. Вимикання цього параметра призведе до того, що " +"SSSD встановлюватиме зв’язок лише з портом LDAP поточного сервера AD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку карт " -"користувачів SELinux." +"Будь ласка, зауважте, що вимикання підтримки загального каталогу (Global " +"Catalog) не призведе до вимикання спроб отримати дані користувачів з " +"надійних (довірених) доменів. Просто SSSD намагатиметься отримати ці ж дані " +"за допомогою порту LDAP надійних доменів. Втім, загальним каталогом (Global " +"Catalog) доведеться скористатися для визначення зв’язків даних щодо участі у " +"групах для різних доменів." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" -msgstr "ipa_subdomains_search_base (рядок)" +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку надійних доменів." +"Цей параметр визначає режим роботи для функціональних можливостей керування " +"доступом на основі GPO: працюватиме система у вимкненому режимі, режимі " +"примушення чи дозвільному режимі. Будь ласка, зауважте, що для того, щоб цей " +"параметр запрацював, слід явним чином встановити для параметра " +"«access_provider» значення «ad»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" -msgstr "Типове значення: значення <emphasis>cn=trusts,%basedn</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" -msgstr "ipa_master_domain_search_base (рядок)" +#: sssd-ad.5.xml:359 +#, fuzzy +#| msgid "" +#| "GPO-based access control functionality uses GPO policy settings to " +#| "determine whether or not a particular user is allowed to logon to a " +#| "particular host." +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." +msgstr "" +"Функціональні можливості з керування доступом на основі GPO використовують " +"параметри правил GPO для визначення того, може чи не може той чи інший " +"користувач увійти до системи певного вузла мережі." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку основного " -"об’єкта домену." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -"Типове значення: значення виразу <emphasis>cn=ad,cn=etc,%basedn</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" -msgstr "ipa_views_search_base (рядок)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 +msgid "" +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -"Необов’язковий. Використати вказаний рядок як основу пошуку контейнерів " -"перегляду." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -"Типове значення: значення <emphasis>cn=views,cn=accounts,%basedn</emphasis>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 +#: sssd-ad.5.xml:401 msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -"Назва області дії Kerberos. Є необов’язковою, типовим значенням є значення " -"«ipa_domain»." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 +#: sssd-ad.5.xml:410 msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -"Назва області дії Kerberos має особливе значення у IPA: цю назву буде " -"перетворено у основний DN для виконання дій LDAP." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" -msgstr "krb5_confd_path (рядок)" +"Зауваження: у поточній версії SSSD не передбачено підтримки записів вузлів " +"(комп'ютерів) до списку «Фільтрування захисту» («Security Filtering») GPO. " +"Передбачено підтримку лише записів користувачів і груп. Записи вузлів у " +"списку ні на що не впливатимуть." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 +#: sssd-ad.5.xml:417 +#, fuzzy +#| msgid "" +#| "NOTE: If the operation mode is set to enforcing, it is possible that " +#| "users that were previously allowed logon access will now be denied logon " +#| "access (as dictated by the GPO policy settings). In order to facilitate a " +#| "smooth transition for administrators, a permissive mode is available that " +#| "will not enforce the access control rules, but will evaluate them and " +#| "will output a syslog message if access would have been denied. By " +#| "examining the logs, administrators can then make the necessary changes " +#| "before setting the mode to enforcing." msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -"Абсолютний шлях до каталогу, у якому SSSD має зберігати фрагменти " -"налаштувань Kerberos." +"ЗАУВАЖЕННЯ: якщо встановлено режим роботи «примусовий» (enforcing), можлива " +"ситуація, коли користувачі, які раніше мали доступ до входу, позбудуться " +"такого доступу (через використання параметрів правил GPO). З метою полегшити " +"перехід на нову систему для адміністраторів передбачено дозвільний режим " +"доступу (permissive), за якого правила керування доступом не " +"встановлюватимуться у примусовому порядку. Програма лише перевірятиме " +"відповідність цим правилам і виводитиме до системного журналу повідомлення, " +"якщо доступ було надано усупереч цим правилам. Вивчення журналу надасть " +"змогу адміністраторам внести відповідні зміни до встановлення примусового " +"режиму (enforcing)." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" +msgstr "У цього параметра є три підтримуваних значення:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -"Щоб вимкнути створення фрагментів налаштувань, встановіть для параметра " -"значення «none»." +"disabled: правила керування доступом, засновані на GPO, не обробляються і не " +"використовуються примусово." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" +"enforcing: правила керування доступом, засновані на GPO, обробляються і " +"використовуються примусово." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -"Типове значення: не встановлено (підкаталог krb5.include.d каталогу pubconf " -"SSSD)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" -msgstr "ipa_deskprofile_refresh (ціле число)" +"permissive: виконати перевірку відповідності правилам керування доступом на " +"основі GPO, але не наполягати на їхньому виконанні. Якщо правила не " +"виконуються, вивести до системного журналу повідомлення про те, що " +"користувачеві було б заборонено доступ, якби використовувався режим " +"enforcing." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 -msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." -msgstr "" -"Проміжок часу між послідовними пошуками правил профілів станції (Desktop " -"Profile) щодо сервера IPA. Зміна може зменшити час затримки та навантаження " -"на сервер IPA, якщо протягом короткого періоду часу надходить багато запитів " -"щодо профілів станції." +#: sssd-ad.5.xml:463 +msgid "Default: permissive" +msgstr "Типове значення: permissive" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" -msgstr "Типове значення: 5 (секунд)" +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" +msgstr "Типове значення: enforcing" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" -msgstr "ipa_deskprofile_request_interval (ціле число)" +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" +msgstr "ad_gpo_implicit_deny (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:475 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" -"Час між пошуками у правилах профілів станцій на сервері IPA, якщо за " -"останнім запитом не повернуто жодного правила." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "Типове значення: 60 (хвилин)" +"Зазвичай, якщо не буде знайдено відповідних GPO, користувачам буде надано " +"доступ. Якщо для цього параметра встановлено значення True, доступ " +"користувачам надаватиметься, лише якщо його явним чином дозволено правилом " +"GPO. Якщо ж такого дозвільного правила не буде виявлено, доступ буде " +"заборонено. Цим можна скористатися для підвищення рівня захисту, але слід " +"бути обережним із використанням цього параметра, оскільки за його допомогою " +"можна заборонити доступ навіть користувачам у вбудованій групі " +"Administrators, якщо немає правил GPO, якими надається такий доступ." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" -msgstr "ipa_hbac_refresh (ціле число)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" +msgstr "ad_gpo_ignore_unreadable (булеве значення)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:495 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" -"Проміжок часу між послідовними пошуками правил HBAC щодо сервера IPA. Зміна " -"може зменшити час затримки та навантаження на сервер IPA, якщо протягом " -"короткого періоду часу надходить багато запитів щодо керування доступом." +"Зазвичай, якщо певні контейнери правил групи (об'єкта AD) відповідних " +"об'єктів правил груп є непридатним до читання з SSSD, доступ користувачам " +"буде заборонено. За допомогою цього параметра можна проігнорувати контейнери " +"правил груп та пов'язані із ними правила, якщо їхні атрибути у контейнерах " +"правил груп є непридатним до читання з SSSD." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" -msgstr "ipa_hbac_selinux (ціле число)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (ціле число)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 +#: sssd-ad.5.xml:515 msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" -"Проміжок часу між послідовними пошуками у картах SELinux щодо сервера IPA. " -"Зміна може зменшити час затримки та навантаження на сервер IPA, якщо " -"протягом короткого періоду часу надходить багато запитів щодо входу " -"користувача до системи." +"Проміжок часу між послідовними пошуками файлів правил GPO щодо сервера AD. " +"Зміна може зменшити час затримки та навантаження на сервер AD, якщо протягом " +"короткого періоду часу надходить багато запитів щодо керування доступом." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" -msgstr "ipa_server_mode (булеве значення)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (рядок)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:531 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"Цей параметр буде встановлено засобом встановлення IPA (ipa-server-install) " -"автоматично, він визначає, чи запущено SSSD на сервері IPA." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:549 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -"На сервері IPA SSSD шукатиме записи користувачів і груп із довірених доменів " -"безпосередньо, хоча на клієнті SSSD надсилатиме запит на сервер IPA." +"Зауваження: у редакторі керування правилами для груп це значення має назву " +"«Дозволити локальний вхід» («Allow log on locally») та «Заборонити локальний " +"вхід» («Deny log on locally»)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" -"Зауваження: у поточній версії має бути виконано декілька умов, якщо SSSD " -"працює на сервері IPA." +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:554 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Параметр <quote>ipa_server</quote> має бути налаштовано так, щоб він " -"вказував на сам сервер IPA. Це типово робить засіб встановлення IPA, тому " -"зміни вручну є зайвими." +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «login») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 -msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." -msgstr "" -"Не слід змінювати значення параметра <quote>full_name_format</quote> для " -"того, щоб лише виводити короткі імена користувачів з довірених доменів." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" -msgstr "ipa_automount_location (рядок)" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" -msgstr "" -"Адреса автоматичного монтування, яку буде використовувати цей клієнт IPA" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" -msgstr "Типове значення: адреса з назвою \"default\"" - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" -msgstr "ПЕРЕГЛЯДИ і ПЕРЕВИЗНАЧЕННЯ" +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" +msgstr "gdm-fingerprint" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" -msgstr "ipa_view_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" +msgstr "lightdm" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." -msgstr "Клас об’єктів для контейнерів перегляду." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" +msgstr "lxdm" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" -msgstr "Типове значення: nsContainer" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" +msgstr "sddm" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" -msgstr "ipa_view_name (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" +msgstr "unity" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." -msgstr "Назва атрибута, у якому зберігається назва перегляду." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" +msgstr "xdm" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" -msgstr "ipa_override_object_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." -msgstr "Клас об’єктів для об’єктів перевизначення" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" -msgstr "Типове значення: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Дозволити вхід за допомогою служб віддаленої стільниці» («Allow " +"log on through Remote Desktop Services») та «Заборонити вхід за допомогою " +"служб віддаленої стільниці» («Deny log on through Remote Desktop Services»)." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" -msgstr "ipa_anchor_uuid (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:663 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Назва атрибута, у якому зберігається посилання на початковий об’єкт на " -"віддаленому домені." +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «sshd») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" -msgstr "Типове значення: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" +msgstr "sshd" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" -msgstr "ipa_user_override_object_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" +msgstr "cockpit" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:697 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"Назва класу об’єктів для перевизначень користувачів. Використовується для " -"визначення того, чи знайдений об’єкт перевизначення пов’язано з користувачем " -"або групою." - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" -msgstr "Перевизначення користувачів можуть містити атрибути, задані" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" -msgstr "ldap_user_name" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" -msgstr "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:715 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Відкрити доступ до цього комп’ютера із мережі» («Access this " +"computer from the network») і «Заборонити доступ до цього комп’ютера із " +"мережі» (Deny access to this computer from the network»)." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" -msgstr "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" -msgstr "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:721 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «ftp») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" -msgstr "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" +msgstr "ftp" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" -msgstr "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" +msgstr "samba" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" -msgstr "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" -msgstr "Типове значення: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:755 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" -msgstr "ipa_group_override_object_class (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Дозволити вхід як пакетне завдання» («Allow log on as a batch " +"job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch job»)." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" -"Назва класу об’єктів для перевизначень груп. Використовується для визначення " -"того, чи знайдений об’єкт перевизначення пов’язано з користувачем або групою." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" -msgstr "Перевизначення груп можуть містити атрибути, задані" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:778 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «crond») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" -msgstr "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:790 +msgid "" +"Note: Cron service name may differ depending on Linux distribution used." +msgstr "" +"Зауваження: назва служби cron у різних дистрибутивах Linux може бути різною." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" -msgstr "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" +msgstr "crond" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" -msgstr "Типове значення: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:808 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -"SSSD може обробляти перегляди та перевизначення, які пропонуються FreeIPA " -"4.1 та новішими версіями. Оскільки усі шляхи і класи об’єктів зафіксовано на " -"боці сервера, в основному, немає потреби у додатковому налаштовуванні. Для " -"повноти, усі відповідні параметри наведено у списку разом з їхніми типовими " -"значеннями. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" -msgstr "СЛУЖБА ПІДДОМЕНІВ" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Дозволити вхід як службу» («Allow log on as a service») і " +"«Заборонити вхід як службу» («Deny log on as a service»)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" -"Поведінка інструмента надання даних піддоменів IPA залежить від того, у який " -"спосіб його налаштовано: явний чи неявний." +"ad_gpo_map_service = +my_pam_service\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" -"Якщо у розділі домену sssd.conf буде знайдено запис параметра " -"«subdomains_provider = ipa», інструмент надання даних піддоменів IPA " -"налаштовано явно, отже всі запити піддоменів надсилатимуться серверу IPA, " -"якщо це потрібно." +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби». Оскільки типовий набір є порожнім, назви служби " +"з типового набору назв служб PAM вилучити неможливо. Наприклад, щоб додати " +"нетипову назву служби PAM (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:852 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -"Якщо у розділі домену sssdconf не встановлено параметр " -"«subdomains_provider», але встановлено параметр «id_provider = ipa», " -"інструмент надання даних піддоменів IPA налаштовано неявним чином. У цьому " -"випадку спроба запиту щодо піддомену зазнає невдачі і вказуватиме на те, що " -"на сервері не передбачено піддоменів, тобто його не налаштовано на довіру, " -"отже інструмент надання даних піддоменів IPA вимкнено. Щойно мине година або " -"відкриється доступ до інструмента надання даних IPA, інструмент надання " -"даних піддоменів буде знову увімкнено." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" -msgstr "НАЛАШТОВУВАННЯ ДОВІРЕНИХ ДОМЕНІВ" +"Список назв служб PAM, відокремлених комами, яким завжди надається доступ на " +"основі GPO, незалежно від будь-яких прав входу GPO." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 #, no-wrap msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:857 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Для довіреного домену можна також встановити деякі параметри налаштовування. " -"Налаштовування довіреного домену можна виконати за допомогою підрозділу, " -"приклад: <placeholder type=\"programlisting\" id=\"0\"/>" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для безумовного дозволеного доступу " +"(наприклад, «sudo») з нетиповою назвою служби pam (наприклад, " +"«my_pam_service»), вам слід скористатися такими налаштуваннями: <placeholder " +"type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" +msgstr "polkit-1" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" +msgstr "systemd-user" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:901 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -"Крім того, деякі параметри можна встановити у батьківському домені і " -"успадкувати для довіреного домену за допомогою параметра " -"<quote>subdomain_inherit</quote>. Щоб дізнатися більше, ознайомтеся зі " -"сторінкою підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"Список назв служб PAM, відокремлених комами, яким завжди заборонено доступ " +"на основі GPO, незалежно від будь-яких прав входу GPO." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" -"Перелік параметрів налаштовування для довіреного домену залежить від того, " -"як ви налаштували SSSD на сервері IPA або клієнт IPA." +"ad_gpo_map_deny = +my_pam_service\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" -msgstr "ПАРАМЕТРИ, ЯКІ МОЖНА НАЛАШТУВАТИ НА ОСНОВНИХ СЕРВЕРАХ IPA" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:927 msgid "" -"The following options can be set in a subdomain section on an IPA master:" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" -"У розділі піддомену на основному сервері IPA можна вказати такі параметри:" +"За допомогою цього параметра визначається спосіб керування доступом для назв " +"служб PAM, які не вказано явним чином у одному з параметрів ad_gpo_map_*. " +"Цей параметр може бути встановлено у два різних способи. По-перше, цей " +"параметр можна встановити так, що використовуватиметься типовий вхід. " +"Наприклад, якщо для цього параметра встановлено значення «interactive», " +"непов’язані назви служб PAM оброблятимуться на основі параметрів правил " +"InteractiveLogonRight і DenyInteractiveLogonRight. Крім того, для цього " +"параметра можна встановити таке значення, щоб система завжди дозволяла або " +"забороняла доступ для непов’язаних назв служб PAM." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" -msgstr "ad_server" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" +msgstr "Передбачені значення для цього параметра:" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" -msgstr "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" +msgstr "interactive" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" -msgstr "ad_site" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" +msgstr "remote_interactive" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" -msgstr "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" +msgstr "network" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" -msgstr "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" +msgstr "batch" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" -msgstr "ldap_group_search_base" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" +msgstr "service" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" +msgstr "permit" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" +msgstr "deny" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:980 +msgid "Default: deny" +msgstr "Типове значення: deny" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "ad_maximum_machine_account_password_age (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:989 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" +"SSSD перевірятиме раз на день, чи має пароль до облікового запису комп'ютера " +"вік, який перевищує заданий вік у днях, і намагатиметься оновити його. " +"Значення 0 вимкне спроби оновлення." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" +msgstr "Типове значення: 30 днів" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "ad_machine_account_password_renewal_opts (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1004 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" +"Цей параметр має використовуватися лише для перевірки завдання із оновлення " +"облікових записів комп'ютерів. Параметру слід передати цілих числа, " +"відокремлених двокрапкою («:»). Перше ціле число визначає інтервал у " +"секундах між послідовними повторними виконаннями завдання з оновлення. Друге " +"— визначає початковий час очікування на перший запуск завдання." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" -msgstr "ПАРАМЕТРИ, ЯКІ МОЖНА НАЛАШТУВАТИ НА КЛІЄНТАХ IPA" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "Типове значення: 86400:750 (24 годин і 15 хвилин)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1022 msgid "" -"The following options can be set in a subdomain section on an IPA client:" -msgstr "У розділі піддомену на клієнті IPA можна вказати такі параметри:" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" +"Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично " +"оновити IP-адресу цього клієнта на сервері DNS Active Directory. Захист " +"оновлення буде забезпечено за допомогою GSS-TSIG. Як наслідок, " +"адміністраторові Active Directory достатньо буде дозволити оновлення безпеки " +"для зони DNS. Для оновлення буде використано IP-адресу з’єднання LDAP AD, " +"якщо цю адресу не було змінено за допомогою параметра «dyndns_iface»." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" +msgstr "Типове значення: 3600 (секунд)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1068 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" -"Зауважте, що якщо встановлено обидва параметри, буде враховано лише " -"<quote>ad_server</quote>." +"Типове значення: використовувати IP-адреси інтерфейсу, який використовується " +"для з’єднання LDAP AD" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1081 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -"Оскільки будь-який запит щодо ідентифікації користувача або групи від " -"довіреного домену, який започатковано клієнтом IPA, обробляється сервером " -"IPA, параметри <quote>ad_server</quote> і <quote>ad_site</quote> впливають " -"лише на те, який з DC AD виконуватиме процедуру розпізнавання. Зокрема, " -"адреси, які визначено за цими списками, буде записано до файлів " -"<quote>kdcinfo</quote>, читання яких виконуватиметься додатком пошуку " -"Kerberos. Будь ласка, зверніться до сторінки підручника щодо <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку Kerberos." +"Визначає, наскільки часто серверний модуль має виконувати періодичні " +"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час " +"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не " +"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true. " +"Зауважте, що найменшим можливим значенням є 60 секунд. Якщо буде вказано " +"значення, яке є меншим за 60, використовуватиметься найменше можливе " +"значення." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Типове значення: True" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sssd-ad.5.xml:1211 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"This example shows only the AD provider-specific options." msgstr "" "У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " "а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " -"У прикладі продемонстровано лише параметри доступу, специфічні для засобу " -"ipa." +"У прикладі продемонстровано лише параметри доступу, специфічні для засобу AD." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 +#: sssd-ad.5.xml:1218 #, no-wrap msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" -msgstr "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" -msgstr "sssd-ad" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" -msgstr "Модуль надання даних Active Directory SSSD" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 -msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -"На цій сторінці довідника описано налаштування засобу керування доступом AD " -"для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " -"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -"Засіб надання даних AD є модулем, який використовується для встановлення " -"з'єднання із сервером Active Directory. Для роботи цього засобу надання " -"даних потрібно, щоб комп'ютер було долучено до домену AD і щоб було " -"доступним сховище ключів. Обмін даними із модулем відбувається за допомогою " -"каналу із шифруванням GSSAPI. Із засобом надання даних AD не слід " -"використовувати параметри SSL/TLS, оскільки їх перекриває використання " -"Kerberos." +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#: sssd-ad.5.xml:1234 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"У засобі надання даних AD передбачено підтримку встановлення з’єднання з " -"Active Directory 2008 R2 або пізнішою версією. Робота з попередніми версіями " -"можлива, але не підтримується." +"Інструмент керування доступом AD перевіряє, чи не завершено строк дії " +"облікового запису. Дає той самий результат, що і ось таке налаштовування " +"інструмента надання даних LDAP: <placeholder type=\"programlisting\" id=" +"\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 +#: sssd-ad.5.xml:1244 msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." msgstr "" -"Засобом надання даних AD можна скористатися для отримання даних щодо " -"користувачів і розпізнавання користувачів за допомогою довірених доменів. У " -"поточній версії передбачено підтримку використання лише довірених доменів з " -"того самого лісу. Крім того автоматично визначаються сервери із довірених " -"доменів." +"Втім, якщо явно не налаштовано засіб надання доступу «ad», типовим засобом " +"надання доступу буде «permit». Будь ласка, зауважте, що якщо вами " +"налаштовано засіб надання доступу, відмінний від «ad», вам доведеться " +"встановлювати усі параметри з’єднання (зокрема адреси LDAP та параметри " +"шифрування) вручну." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 +#: sssd-ad.5.xml:1252 msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." msgstr "" -"Засіб надання даних AD уможливлює для SSSD використання засобу надання даних " -"профілів <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> та засобу надання даних " -"розпізнавання <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> з оптимізацією для середовищ Active " -"Directory. Засіб надання даних AD приймає ті самі параметри, які " -"використовуються засобами надання даних sssd-ldap та sssd-krb5, із деякими " -"виключеннями. Втім, встановлювати ці параметри не обов'язково і не " -"рекомендовано." +"Якщо для засобу надання даних autofs встановлено значення <quote>ad</quote>, " +"використовується схема прив'язки атрибутів RFC2307 (nisMap, nisObject, ...), " +"оскільки ці атрибути включено до типової схеми Active Directory." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." -msgstr "" -"Засіб надання даних AD в основному копіює типові параметри традиційних " -"засобів надання даних ldap і krb5 із деякими виключенням. Відмінності " -"наведено у розділі <quote>ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ</quote>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 -msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." -msgstr "" -"Інструментом надання даних AD також можна скористатися для доступу, зміни " -"паролів запуску від імені користувача (sudo) та використання autofs. У " -"налаштовуванні керування доступом на боці клієнта немає потреби." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Налаштовування sudo за допомогою модуля SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." -msgstr "" -"Якщо у sssdconf вказано <quote>auth_provider=ad</quote> або " -"<quote>access_provider=ad</quote>, для id_provider також має бути вказано " -"<quote>ad</quote>." - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#: sssd-sudo.5.xml:23 msgid "" -"ldap_id_mapping = False\n" -" " +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" -"ldap_id_mapping = False\n" -" " +"На цій сторінці підручника описано способи налаштовування <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"на роботу у комплексі з <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> та способи кешування правил sudo у " +"SSSD." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Налаштовування sudo на співпрацю з SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 +#: sssd-sudo.5.xml:38 msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -"Типово, модуль надання даних AD виконуватиме прив’язку до значень UID та GID " -"з параметра objectSID у Active Directory. Докладніший опис наведено у " -"розділі «ВСТАНОВЛЕННЯ ВІДПОВІДНОСТІ ІДЕНТИФІКАТОРІВ». Якщо вам потрібно " -"вимкнути встановлення відповідності ідентифікаторів і покладатися на " -"атрибути POSIX, визначені у Active Directory, вам слід встановити " -"<placeholder type=\"programlisting\" id=\"0\"/> Якщо має бути використано " -"атрибути POSIX, рекомендуємо з міркувань швидкодії виконувати також " -"реплікацію атрибутів до загального каталогу. Якщо виконується реплікація " -"атрибутів POSIX, SSSD намагатиметься знайти домен числового ідентифікатора " -"із запиту за допомогою загального каталогу і шукатиме лише цей домен. І " -"навпаки, якщо реплікація атрибутів POSIX до загального каталогу не " -"відбувається, SSSD доводиться шукати на усіх доменах у лісі послідовно. Будь " -"ласка, зауважте, що для пришвидшення пошуку без доменів також може бути " -"корисним використання параметра <quote>cache_first</quote>. Зауважте, що " -"якщо у загальному каталозі є лише підмножина атрибутів POSIX, у поточній " -"версії невідтворювані атрибути з порту LDAP не читатимуться." +"Щоб увімкнути SSSD як джерело правил sudo, додайте <emphasis>sss</emphasis> " +"до запису <emphasis>sudoers</emphasis> у файлі <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 +#: sssd-sudo.5.xml:47 msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" msgstr "" -"Дані щодо користувачів, груп та інших записів, які обслуговуються SSSD, у " -"модулі надання даних AD завжди обробляються із врахуванням регістру символів " -"для забезпечення сумісності з реалізацією Active Directory у LDAP." +"Наприклад, щоб налаштувати sudo на першочерговий пошук правил у стандартному " +"файлі <citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (цей файл має містити правила, що стосуються " +"локальних користувачів), а потім у SSSD, у файлі nsswitch.conf слід вказати " +"такий рядок:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" -msgstr "ad_domain (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." msgstr "" -"Визначає назву домену Active Directory. Є необов’язковим. Якщо не вказано, " -"буде використано назву домену з налаштувань." +"Докладніші дані щодо налаштовування порядку пошуку у sudoers за допомогою " +"файла nsswitch.conf, а також дані щодо бази даних LDAP, у якій зберігаються " +"правила sudo каталогу, можна знайти на сторінці підручника <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." msgstr "" -"Для забезпечення належної роботи цей параметр слід вказати у форматі запису " -"малими літерами повної версії назви домену Active Directory." +"<emphasis>Зауваження</emphasis>: щоб у правилах sudo можна було " +"використовувати мережеві групи або групи вузлів IPA, вам слід належним чином " +"налаштувати <citerefentry> <refentrytitle>nisdomainname</refentrytitle> " +"<manvolnum>1</manvolnum> </citerefentry> на назву домену NIS (назва цього " +"домену збігається з назвою домену IPA, якщо використовуються групи вузлів " +"IPA)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Налаштовування SSSD на отримання правил sudo" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." msgstr "" -"Скорочена назва домену (також відома як назва NetBIOS або проста назва) " -"автоматично визначається засобами SSSD." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" -msgstr "ad_enabled_domains (рядок)" +"На боці SSSD достатньо розширити список <emphasis>служб</emphasis> " +"дописуванням «sudo» до розділу [sssd] <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. Щоб " +"пришвидшити пошуку у LDAP, ви також можете налаштувати базу пошуку для " +"правил sudo за допомогою параметра <emphasis>ldap_sudo_search_base</" +"emphasis>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." msgstr "" -"Список дозволених доменів Active Directory, відокремлених комами. Якщо " -"вказано, SSSD ігноруватиме будь-які домени, яких немає у списку цього " -"параметра. Якщо значення параметра не встановлено, доступними будуть усі " -"домени з лісу AD." +"У наведеному нижче прикладі показано, як налаштувати SSSD на отримання " +"правил sudo з сервера LDAP." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 #, no-wrap msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" msgstr "" -"Для належного функціонування значення цього параметра має бути вказано " -"малими літерами у форматі повної назви домену Active Directory. Приклад: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> Важливо зауважити, що на платформах, де передбачено " +"підтримку systemd, немає потреби додавати засіб надання даних «sudo» до " +"списку служб, оскільки він стає необов'язковим. Втім, замість нього слід " +"увімкнути sssd-sudo.socket.</phrase>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" -"Скорочена назва домену (також відома як назва NetBIOS або проста назва) " -"автоматично визначається засобами SSSD." +"Якщо SSSD налаштовано на використання IPA як засобу надання даних ID, засіб " +"надання даних sudo буде увімкнено автоматично. Базу пошуку sudo буде " +"налаштовано на використання природного для IPA дерева LDAP (cn=sudo," +"$SUFFIX). Якщо у sssd.conf буде визначено будь-яку іншу базу пошуку, " +"використовуватиметься це значення. Для використання функціональних " +"можливостей sudo у IPA потреби у дереві compat (ou=sudoers,$SUFFIX) більше " +"немає." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" -msgstr "ad_server, ad_backup_server (рядок)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Механізм кешування правил SUDO" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." msgstr "" -"Список назв тих вузлів серверів AD, відокремлених комами, з якими SSSD має " -"встановлювати з'єднання у порядку пріоритетності. Щоб дізнатися більше про " -"резервне використання серверів, ознайомтеся із розділом <quote>РЕЗЕРВ</" -"quote>." +"Найбільшою складністю під час розробки підтримки sudo у SSSD було " +"забезпечення роботи sudo з SSSD так, щоб для користувача джерело даних " +"надавало дані у один спосіб та з тією самою швидкістю, що і sudo, надаючи " +"при цьому якомога свіжіший набір правил. Щоб виконати ці умови, SSSD " +"використовує оновлення трьох типів. Будемо називати ці тип повним " +"оновленням, інтелектуальним оновленням та оновленням правил." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." msgstr "" -"Цей список є необов’язковим, якщо увімкнено автоматичне виявлення служб. " -"Докладніші відомості щодо автоматичного виявлення служб наведено у розділі " -"«ПОШУК СЛУЖБ»." +"Використання типу <emphasis>інтелектуального оновлення</emphasis> полягає у " +"отриманні правил, які було додано або змінено з часу попереднього оновлення. " +"Основним призначенням оновлення такого типу є підтримання актуального стану " +"бази даних невеличкими порціями, які не спричиняють значного навантаження на " +"мережу." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." msgstr "" -"Зауваження: довірені домени завжди автоматично визначають сервери, навіть " -"якщо основний сервер явним чином визначено у параметрі ad_server." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" -msgstr "ad_hostname (рядок)" +"У разі використання <emphasis>повного оновлення</emphasis> всі правила sudo, " +"що зберігаються у кеші, буде вилучено і замінено на всі правила, які " +"зберігаються на сервері. Таким чином, кеш буде узгоджено шляхом вилучення " +"всіх правил, які було вилучено на сервері. Втім, повне оновлення може значно " +"навантажувати канал з’єднання, а отже його варто використовувати лише іноді. " +"Проміжок між сеансами повного оновлення має залежати від розміру і " +"стабільності правил sudo." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." msgstr "" -"Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не " -"відповідає повній назві, що використовується доменом Active Directory для " -"розпізнавання цього вузла." +"У разі використання типу <emphasis>оновлення правил</emphasis> " +"забезпечується ненадання користувачам ширших дозволів, ніж це було визначено " +"на сервері. Оновлення цього типу виконується під час кожного запуску " +"користувачем sudo. Під час оновлення буде виявлено всі правила, які " +"стосуються користувача, перевірено, чи не завершено строк дії цих правил, і " +"повторно отримано правила, якщо строк дії правил завершено. Якщо якихось з " +"правил не буде виявлено на сервері, SSSD виконає позачергове повне " +"оновлення, оскільки може виявитися, що було вилучено набагато більше правил " +"(які стосуються інших користувачів)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" msgstr "" -"Це поле використовується для визначення основної назви вузла, яка " -"використовуватиметься у таблиці ключів. Ця назва має відповідати назві " -"вузла, для якого випущено таблицю ключів." +"Якщо увімкнено, SSSD зберігатиме лише правила, які можна застосувати до " +"цього комп’ютера. Це означає, що зберігатимуться правила, що містять у " +"атрибуті <emphasis>sudoHost</emphasis> одне з таких значень:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" -msgstr "ad_enable_dns_sites (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "ключове слово ALL" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 -msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." -msgstr "" -"Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо " -"пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку " -"спробує визначити сервер Active Directory для встановлення з’єднання на " -"основі використання визначення сайтів Active Directory і повертається до " -"визначення за записами SRV DNS, якщо сайт AD не буде знайдено. Налаштування " -"SRV DNS, зокрема домен пошуку, використовуються також під час визначення " -"сайтів." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "шаблон заміни" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" -msgstr "ad_access_filter (рядок)" +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "мережеву групу (у форматі «+мережева група»)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." -msgstr "" -"Цей параметр визначає фільтр керування доступом LDAP, якому має відповідати " -"запис користувача для того, щоб йому було надано доступ. Будь ласка, " -"зауважте, що слід явним чином встановити для параметра «access_provider» " -"значення «ad», щоб цей параметр почав діяти." +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "назву вузла або повну назву у домені цього комп’ютера" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "одну з IP-адрес цього комп’ютера" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "одну з IP-адрес мережі (у форматі «адреса/маска»)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"У параметрі також передбачено підтримку визначення різних фільтрів для " -"окремих доменів або дерев. Цей розширений фільтр повинен мати такий формат: " -"«КЛЮЧОВЕ СЛОВО:НАЗВА:ФІЛЬТР». Набір підтримуваних ключових слів: «DOM», " -"«FOREST» або ключове слово слід пропустити." +"Для точного налаштовування поведінки передбачено доволі багато параметрів " +"Будь ласка, зверніться до розділу «ldap_sudo_*» у <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> та «sudo_*» у <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб ознайомитися з " +"докладним описом." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "Фонова служба безпеки системи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -"Якщо вказано ключове слово «DOM» або ключового слова не вказано, «НАЗВА» " -"визначає домен або піддомен, до якого застосовується фільтрування. Якщо " -"ключовим словом є «FOREST», фільтр застосовується до усіх доменів з лісу, " -"вказаного значенням «НАЗВА»." +"<command>sssd</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -"Декілька фільтрів можна відокремити символом «?», подібно до способу " -"визначення фільтрів у базах для пошуку." +"У <command>SSSD</command> передбачено набір фонових служб для керування " +"доступом до віддалених каталогів та механізмами розпізнавання. " +"<command>SSSD</command> надає операційній системі інтерфейси NSS і PAM, а " +"також систему придатних для під’єднання модулів для встановлення з’єднання з " +"декількома різними джерелами даних щодо облікових записів та інтерфейс D-" +"Bus. <command>SSSD</command> також є основою для систем перевірки " +"клієнтських систем та служб обслуговування правил доступу для проєктів, " +"подібних до FreeIPA. <command>SSSD</command> надає стійкішу базу даних для " +"збереження записів локальних користувачів, а також додаткових даних щодо " +"користувачів." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -"Визначення участі у вкладених групах має відбуватися із використанням " -"спеціалізованого OID <quote>:1.2.840.113556.1.4.1941:</quote>, окрім повних " -"синтаксичних конструкцій DOM:domain.example.org:, щоб засіб обробки не " -"намагався інтерпретувати символи двокрапки, пов'язані з OID. Якщо ви не " -"використовуєте цей OID, вкладена участь у групах не визначатиметься. " -"Ознайомтеся із прикладом використання, який наведено нижче, і цим " -"посиланням, щоб дізнатися більше про OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\">[MS-ADTS] Правила встановлення " -"відповідності у LDAP</ulink>" +"<option>-d</option>,<option>--debug-level</option> <replaceable>РІВЕНЬ</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 -msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>режим</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -"Завжди використовується відповідник з найвищим рівнем відповідності. " -"Наприклад, якщо визначено фільтрування для домену, учасником якого є " -"користувач, і загальне фільтрування, буде використано фільтрування для " -"окремого домену. Якщо буде виявлено декілька відповідників з однаковою " -"специфікацією, використовуватиметься лише перший з них." +"<emphasis>1</emphasis>: додати часову позначку до діагностичних повідомлень." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap -msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -"# застосувати фільтрування лише для домену з назвою dom1:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# застосувати фільтрування лише для домену з назвою dom2:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# застосувати фільтрування лише для лісу з назвою EXAMPLE.COM:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# застосувати фільтрування до учасника вкладеної групи у dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"<emphasis>0</emphasis>: вимкнути часову позначку у діагностичних " +"повідомленнях" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" -msgstr "ad_site (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>режим</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -"Визначає сайт AD, з яким має встановлювати з’єднання клієнт. Якщо не буде " -"вказано, виконуватиметься спроба автоматичного визначення сайта AD." +"<emphasis>1</emphasis>: додати значення мікросекунд до часової позначки у " +"діагностичних повідомленнях" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" -msgstr "ad_enable_gc (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" +"<emphasis>0</emphasis>: вимкнути додавання мікросекунд до часової позначки" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -"Типово, SSSD для отримання даних користувачів з надійних (довірених) доменів " -"спочатку встановлює з’єднання із загальним каталогом (Global Catalog). Якщо " -"ж отримати дані не вдасться, система використовує порт LDAP для отримання " -"даних щодо участі у групах. Вимикання цього параметра призведе до того, що " -"SSSD встановлюватиме зв’язок лише з портом LDAP поточного сервера AD." +"Надіслати діагностичні дані до файлів, а не до stderr. Типово файли журналів " +"зберігаються у <filename>/var/log/sssd</filename>, передбачено також окремий " +"журнал для кожної служби і домену SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -"Будь ласка, зауважте, що вимикання підтримки загального каталогу (Global " -"Catalog) не призведе до вимикання спроб отримати дані користувачів з " -"надійних (довірених) доменів. Просто SSSD намагатиметься отримати ці ж дані " -"за допомогою порту LDAP надійних доменів. Втім, загальним каталогом (Global " -"Catalog) доведеться скористатися для визначення зв’язків даних щодо участі у " -"групах для різних доменів." +"Цей параметр вважається застарілим. Його замінено параметром <option>--" +"logger=files</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" -msgstr "ad_gpo_access_control (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "<option>--logger=</option><replaceable>значення</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -"Цей параметр визначає режим роботи для функціональних можливостей керування " -"доступом на основі GPO: працюватиме система у вимкненому режимі, режимі " -"примушення чи дозвільному режимі. Будь ласка, зауважте, що для того, щоб цей " -"параметр запрацював, слід явним чином встановити для параметра " -"«access_provider» значення «ad»." +"Місце, куди SSSD надсилатиме повідомлення журналу. Значення цього параметра " +"має вищий пріоритет за значення застарілого параметра <option>--debug-to-" +"files</option>. Застарілий параметр працюватиме, якщо не використано " +"параметр <option>--logger</option>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -"Функціональні можливості з керування доступом на основі GPO використовують " -"параметри правил GPO для визначення того, може чи не може той чи інший " -"користувач увійти до системи певного вузла мережі." +"<emphasis>stderr</emphasis>: переспрямувати діагностичні повідомлення до " +"стандартного виведення помилок." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -"Зауваження: у поточній версії SSSD не передбачено підтримки записів вузлів " -"(комп'ютерів) до списку «Фільтрування захисту» («Security Filtering») GPO. " -"Передбачено підтримку лише записів користувачів і груп. Записи вузлів у " -"списку ні на що не впливатимуть." +"<emphasis>files</emphasis>: переспрямувати діагностичні повідомлення до " +"файлів журналу. Типово файли журналів зберігаються у <filename>/var/log/" +"sssd</filename>, передбачено також окремий журнал для кожної служби і домену " +"SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -"ЗАУВАЖЕННЯ: якщо встановлено режим роботи «примусовий» (enforcing), можлива " -"ситуація, коли користувачі, які раніше мали доступ до входу, позбудуться " -"такого доступу (через використання параметрів правил GPO). З метою полегшити " -"перехід на нову систему для адміністраторів передбачено дозвільний режим " -"доступу (permissive), за якого правила керування доступом не " -"встановлюватимуться у примусовому порядку. Програма лише перевірятиме " -"відповідність цим правилам і виводитиме до системного журналу повідомлення, " -"якщо доступ було надано усупереч цим правилам. Вивчення журналу надасть " -"змогу адміністраторам внести відповідні зміни до встановлення примусового " -"режиму (enforcing)." +"<emphasis>journald</emphasis>: переспрямувати діагностичні повідомлення до " +"systemd-journald" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" -msgstr "У цього параметра є три підтримуваних значення:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Перейти у режим фонової служби після запуску." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Запустити програму у звичайному режимі, не створювати фонової служби." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Визначити нетиповий файл налаштувань. Типовим файлом налаштувань є " +"<filename>/etc/sssd/sssd.conf</filename>. Довідку щодо синтаксису та " +"параметрів файла налаштувань можна знайти на сторінці довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" +msgstr "<option>-g</option>,<option>--genconf</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -"disabled: правила керування доступом, засновані на GPO, не обробляються і не " -"використовуються примусово." +"Не запускати SSSD, а лише оновити базу даних налаштувань на основі вмісту " +"<filename>/etc/sssd/sssd.conf</filename> і завершити роботу." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." -msgstr "" -"enforcing: правила керування доступом, засновані на GPO, обробляються і " -"використовуються примусово." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" +msgstr "<option>-s</option>,<option>--genconf-section</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -"permissive: виконати перевірку відповідності правилам керування доступом на " -"основі GPO, але не наполягати на їхньому виконанні. Якщо правила не " -"виконуються, вивести до системного журналу повідомлення про те, що " -"користувачеві було б заборонено доступ, якби використовувався режим " -"enforcing." +"Подібний до <quote>--genconf</quote>, але наказує програмі освіжити лише " +"окремий розділу на основі файла налаштувань. Цей параметр корисний, в " +"основному, для виклику з файлів модулів systemd з метою дозволити " +"відповідачам, які активуються з сокетів, освіжати налаштування без потреби у " +"перезапуску адміністратором усього SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" -msgstr "Типове значення: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" -msgstr "Типове значення: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." +msgstr "Вивести номер версії і завершити роботу." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" -msgstr "ad_gpo_implicit_deny (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" +msgstr "Сигнали" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -"Зазвичай, якщо не буде знайдено відповідних GPO, користувачам буде надано " -"доступ. Якщо для цього параметра встановлено значення True, доступ " -"користувачам надаватиметься, лише якщо його явним чином дозволено правилом " -"GPO. Якщо ж такого дозвільного правила не буде виявлено, доступ буде " -"заборонено. Цим можна скористатися для підвищення рівня захисту, але слід " -"бути обережним із використанням цього параметра, оскільки за його допомогою " -"можна заборонити доступ навіть користувачам у вбудованій групі " -"Administrators, якщо немає правил GPO, якими надається такий доступ." +"Повідомляє SSSD, що слід поступово завершити роботу всіх дочірніх процесів, " +"а потім завершити роботу монітора." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" -msgstr "ad_gpo_ignore_unreadable (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "SIGHUP" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -"Зазвичай, якщо певні контейнери правил групи (об'єкта AD) відповідних " -"об'єктів правил груп є непридатним до читання з SSSD, доступ користувачам " -"буде заборонено. За допомогою цього параметра можна проігнорувати контейнери " -"правил груп та пов'язані із ними правила, якщо їхні атрибути у контейнерах " -"правил груп є непридатним до читання з SSSD." +"Повідомляє SSSD, що слід припинити запис до файлів діагностичних даних з " +"поточними дескрипторами, закрити і повторно відкрити ці файли. Цей сигнал " +"призначено для полегшення процедури архівування журналів за допомогою " +"програм, подібних до logrotate." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" -msgstr "ad_gpo_cache_timeout (ціле число)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" +msgstr "SIGUSR1" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -"Проміжок часу між послідовними пошуками файлів правил GPO щодо сервера AD. " -"Зміна може зменшити час затримки та навантаження на сервер AD, якщо протягом " -"короткого періоду часу надходить багато запитів щодо керування доступом." +"Наказує SSSD імітувати автономну дію, тривалість якої визначається " +"параметром «offline_timeout». Найкориснішим застосуванням є тестування " +"служби. Сигнал може бути надіслано або процесу sssd, або процесу sssd_be " +"безпосередньо." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" -msgstr "ad_gpo_map_interactive (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "SIGUSR2" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -"Список назв служб PAM, відокремлених комами, для яких керування доступом на " -"основі GPO виконуватиметься на основі параметрів правил " -"InteractiveLogonRight і DenyInteractiveLogonRight." +"Наказує SSSD перейти у режим роботи у мережі негайно. Найкориснішим " +"застосуванням є тестування служби. Сигнал може бути надіслано або процесу " +"sssd, або процесу sssd_be безпосередньо." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:259 +#, fuzzy +#| msgid "" +#| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +#| "applications will not use the fast in memory cache." msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -"Зауваження: у редакторі керування правилами для груп це значення має назву " -"«Дозволити локальний вхід» («Allow log on locally») та «Заборонити локальний " -"вхід» («Deny log on locally»)." +"Якщо для змінної середовища SSS_NSS_USE_MEMCACHE встановлено значення «NO», " +"клієнтські програми не використовуватимуть fast у кеші у пам’яті." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "заплутування пароля у форматі звичайного тексту" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>[ПАРОЛЬ]</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" -"Можна додати іншу назву служби PAM до типового набору за допомогою " -"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " -"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " -"замінити типову назву служби PAM для цього входу (наприклад, «login») з " -"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " -"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" -"\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" -msgstr "gdm-fingerprint" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" -msgstr "lightdm" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" -msgstr "lxdm" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" -msgstr "sddm" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" -msgstr "unity" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" -msgstr "xdm" +"<command>sss_obfuscate</command> перетворює вказаний пароль на пароль у " +"форматі зручному для читання і розташовує його у розділі відповідного домену " +"файла налаштувань SSSD." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" -msgstr "ad_gpo_map_remote_interactive (рядок)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"Пароль у форматі звичайного тексту буде прочитано зі стандартного джерела " +"вхідних даних або введено інтерактивно. Заплутану версію пароля буде " +"збережено у параметрі з назвою «ldap_default_authtok» вказаного домену SSSD, " +"параметру «ldap_default_authtok_type» буде надано значення " +"«obfuscated_password». Докладніший опис цих параметрів можна знайти на " +"сторінці підручника (man) <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Будь ласка, зауважте, що заплутування паролів <emphasis>не є справжнім " +"захистом</emphasis>, оскільки зловмисник може визначити алгоритм " +"заплутування за кодом програми. <emphasis>Наполегливо</emphasis> радимо вам " +"скористатися кращими механізмами захисту даних розпізнавання, зокрема " +"клієнтськими сертифікатами або GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -"Список назв служб PAM, відокремлених комами, для яких керування доступом на " -"основі GPO засновано на параметрах захисту RemoteInteractiveLogonRight і " -"DenyRemoteInteractiveLogonRight." +"Пароль для заплутування буде прочитано зі стандартного джерела вхідних даних." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -"Зауваження: у редакторі керування правилами щодо груп це значення " -"називається «Дозволити вхід за допомогою служб віддаленої стільниці» («Allow " -"log on through Remote Desktop Services») та «Заборонити вхід за допомогою " -"служб віддаленої стільниці» («Deny log on through Remote Desktop Services»)." +"<option>-d</option>,<option>--domain</option> <replaceable>ДОМЕН</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +"Домен SSSD, для якого буде використано пароль. Типовою назвою є " +"<quote>default</quote>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -"Можна додати іншу назву служби PAM до типового набору за допомогою " -"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " -"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " -"замінити типову назву служби PAM для цього входу (наприклад, «sshd») з " -"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " -"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" -"\"0\"/>" +"<option>-f</option>,<option>--file</option> <replaceable>ФАЙЛ</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" -msgstr "sshd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "Прочитати дані з файла налаштувань, вказаного позиційним параметром." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" -msgstr "cockpit" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Типове значення: <filename>/etc/sssd/sssd.conf</filename>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" -msgstr "ad_gpo_map_network (рядок)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "sss_override" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "створити локальні перевизначення атрибутів користувача і групи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -"Список назв служб PAM, відокремлених комами, для яких керування доступом на " -"основі GPO засновано на параметрах захисту NetworkLogonRight і " -"DenyNetworkLogonRight." +"<command>sss_override</command> <arg choice='plain'><replaceable>КОМАНДА</" +"replaceable></arg> <arg choice='opt'> <replaceable>параметри</replaceable> </" +"arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -"Зауваження: у редакторі керування правилами щодо груп це значення " -"називається «Відкрити доступ до цього комп’ютера із мережі» («Access this " -"computer from the network») і «Заборонити доступ до цього комп’ютера із " -"мережі» (Deny access to this computer from the network»)." +"<command>sss_override</command> надає змогу створювати перегляди на боці " +"клієнта і змінювати вибрані значення для певного користувача і груп. Ці " +"зміни буде застосовано лише на локальному комп'ютері." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." msgstr "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +"Дані перевизначень зберігаються у кеші SSSD. Якщо кеш вилучено, усі локальні " +"перевизначення буде втрачено. Будь ласка, зауважте, що після першого " +"створення перевизначення за допомогою команди <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> або " +"<emphasis>group-import</emphasis> SSSD слід перезапустити, щоб зміни набули " +"чинності. Якщо потрібен перезапуск, <emphasis>sss_override</emphasis> виведе " +"відповідне повідомлення." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "ДОСТУПНІ КОМАНДИ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -"Можна додати іншу назву служби PAM до типового набору за допомогою " -"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " -"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " -"замінити типову назву служби PAM для цього входу (наприклад, «ftp») з " -"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " -"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" -"\"0\"/>" +"Аргумент <emphasis>НАЗВА</emphasis> в усіх командах є назвою початкового " +"об'єкта. Не можна перевизначити <emphasis>uid</emphasis> або <emphasis>gid</" +"emphasis> на 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" -msgstr "ftp" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" +"<option>user-add</option> <emphasis>НАЗВА</emphasis> <optional><option>-n,--" +"name</option> НАЗВА</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> ДОМІВКА</optional> <optional><option>-" +"s,--shell</option> ОБОЛОНКА</optional> <optional><option>-c,--gecos</option> " +"GECOS</optional> <optional><option>-x,--certificate</option> СЕРТИФІКАТ У " +"КОДУВАННІ BASE64</optional>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" -msgstr "samba" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" +"Перевизначити атрибути запису користувача. Будь ласка, зверніть увагу, що " +"виклик цієї команди замінить усі попередні перевизначення для вказаного за " +"назвою облікового запису користувача." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" -msgstr "ad_gpo_map_batch (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "<option>user-del</option> <emphasis>НАЗВА</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -"Список назв служб PAM, відокремлених комами, для яких керування доступом на " -"основі GPO засновано на параметрах захисту BatchLogonRight і " -"DenyBatchLogonRight." +"Вилучити перевизначення користувача. Втім, слід мати на увазі, що " +"перевизначені атрибути може бути повернено з кешу у пам'яті. Будь ласка, " +"ознайомтеся із документацією до параметра SSSD <emphasis>memcache_timeout</" +"emphasis>, щоб дізнатися більше." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -"Зауваження: у редакторі керування правилами щодо груп це значення " -"називається «Дозволити вхід як пакетне завдання» («Allow log on as a batch " -"job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch job»)." +"<option>user-find</option> <optional><option>-d,--domain</option> ДОМЕН</" +"optional>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" +"Вивести список усіх користувачів, для яких встановлено перевизначення. Якщо " +"встановлено параметр <emphasis>ДОМЕН</emphasis>, буде показано лише " +"користувачів з відповідного домену." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "<option>user-show</option> <emphasis>НАЗВА</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "Показати перевизначення користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "<option>user-import</option> <emphasis>ФАЙЛ</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"Імпортувати перевизначення користувачів з файла <emphasis>ФАЙЛ</emphasis>. " +"Формат даних у файлі має бути таким самим, як у стандартному файлі passwd. " +"Приклад:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -"Можна додати іншу назву служби PAM до типового набору за допомогою " -"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " -"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " -"замінити типову назву служби PAM для цього входу (наприклад, «crond») з " -"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " -"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" -"\"0\"/>" +"початкова_назва:назва:uid:gid:gecos:домівка:оболонка:" +"сертифікат_у_кодуванні_base64" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -"Зауваження: назва служби cron у різних дистрибутивах Linux може бути різною." +"де «початкова_назва» — початкова назва запису користувача, чиї атрибути має " +"бути перевизначено. Решта полів відповідає новим значенням. Ви можете " +"пропустити значення, не заповнюючи відповідного поля." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" -msgstr "crond" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "ckent:superman::::::" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" -msgstr "ad_gpo_map_service (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." -msgstr "" -"Список назв служб PAM, відокремлених комами, для яких керування доступом на " -"основі GPO засновано на параметрах захисту ServiceLogonRight і " -"DenyServiceLogonRight." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "<option>user-export</option> <emphasis>ФАЙЛ</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -"Зауваження: у редакторі керування правилами щодо груп це значення " -"називається «Дозволити вхід як службу» («Allow log on as a service») і " -"«Заборонити вхід як службу» («Deny log on as a service»)." +"Експортувати усі перевизначені атрибути і зберегти їх у файлі " +"<emphasis>ФАЙЛ</emphasis>. Див. <emphasis>user-import</emphasis>, щоб " +"дізнатися більше про формат даних." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -"ad_gpo_map_service = +my_pam_service\n" -" " +"<option>group-add</option> <emphasis>НАЗВА</emphasis> <optional><option>-n,--" +"name</option> НАЗВА</optional> <optional><option>-g,--gid</option> GID</" +"optional>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -"Можна додати іншу назву служби PAM до типового набору за допомогою " -"конструкції «+назва_служби». Оскільки типовий набір є порожнім, назви служби " -"з типового набору назв служб PAM вилучити неможливо. Наприклад, щоб додати " -"нетипову назву служби PAM (наприклад, «my_pam_service»), вам слід " -"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" -"\"0\"/>" +"Перевизначити атрибути запису групи. Будь ласка, зверніть увагу, що виклик " +"цієї команди замінить усі попередні перевизначення для вказаної за назвою " +"групи." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" -msgstr "ad_gpo_map_permit (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "<option>group-del</option> <emphasis>НАЗВА</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -"Список назв служб PAM, відокремлених комами, яким завжди надається доступ на " -"основі GPO, незалежно від будь-яких прав входу GPO." +"Вилучити перевизначення групи. Втім, слід мати на увазі, що перевизначені " +"атрибути може бути повернено з кешу у пам'яті. Будь ласка, ознайомтеся із " +"документацією до параметра SSSD <emphasis>memcache_timeout</emphasis>, щоб " +"дізнатися більше." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +"<option>group-find</option> <optional><option>-d,--domain</option> ДОМЕН</" +"optional>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -"Можна додати іншу назву служби PAM до типового набору за допомогою " -"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " -"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " -"замінити типову назву служби PAM для безумовного дозволеного доступу " -"(наприклад, «sudo») з нетиповою назвою служби pam (наприклад, " -"«my_pam_service»), вам слід скористатися такими налаштуваннями: <placeholder " -"type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" -msgstr "polkit-1" +"Вивести список усіх груп, для яких встановлено перевизначення. Якщо " +"встановлено параметр <emphasis>ДОМЕН</emphasis>, буде показано лише групи з " +"відповідного домену." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" -msgstr "systemd-user" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "<option>group-show</option> <emphasis>НАЗВА</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" -msgstr "ad_gpo_map_deny (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "Показати перевизначення групи." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." -msgstr "" -"Список назв служб PAM, відокремлених комами, яким завжди заборонено доступ " -"на основі GPO, незалежно від будь-яких прав входу GPO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "<option>group-import</option> <emphasis>ФАЙЛ</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"Імпортувати перевизначення груп з файла <emphasis>ФАЙЛ</emphasis>. Формат " +"даних у файлі має бути таким самим, як у стандартному файлі group. Приклад:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" -msgstr "ad_gpo_default_right (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "початкова_назва:назва:gid" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." -msgstr "" -"За допомогою цього параметра визначається спосіб керування доступом для назв " -"служб PAM, які не вказано явним чином у одному з параметрів ad_gpo_map_*. " -"Цей параметр може бути встановлено у два різних способи. По-перше, цей " -"параметр можна встановити так, що використовуватиметься типовий вхід. " -"Наприклад, якщо для цього параметра встановлено значення «interactive», " -"непов’язані назви служб PAM оброблятимуться на основі параметрів правил " -"InteractiveLogonRight і DenyInteractiveLogonRight. Крім того, для цього " -"параметра можна встановити таке значення, щоб система завжди дозволяла або " -"забороняла доступ для непов’язаних назв служб PAM." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "Передбачені значення для цього параметра:" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" +"де «початкова_назва» — початкова назва групи, чиї атрибути має бути " +"перевизначено. Решта полів відповідає новим значенням. Ви можете пропустити " +"значення, не заповнюючи відповідного поля." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "interactive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "admins:administrators:" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "remote_interactive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "Domain Users:Users:501" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" -msgstr "network" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "<option>group-export</option> <emphasis>ФАЙЛ</emphasis>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "batch" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" +"Експортувати усі перевизначені атрибути і зберегти їх у файлі " +"<emphasis>ФАЙЛ</emphasis>. Див. <emphasis>group-import</emphasis>, щоб " +"дізнатися більше про формат даних." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" -msgstr "service" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "ЗАГАЛЬНІ ПАРАМЕТРИ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" -msgstr "permit" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "Ці параметри можна використовувати з усіма командами." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" -msgstr "deny" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "<option>--debug</option> <replaceable>РІВЕНЬ</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" -msgstr "Типове значення: deny" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" -msgstr "ad_maximum_machine_account_password_age (ціле число)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "створення нового запису користувача" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"SSSD перевірятиме раз на день, чи має пароль до облікового запису комп'ютера " -"вік, який перевищує заданий вік у днях, і намагатиметься оновити його. " -"Значення 0 вимкне спроби оновлення." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" -msgstr "Типове значення: 30 днів" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" -msgstr "ad_machine_account_password_renewal_opts (рядок)" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>НАЗВА_ОБЛІКОВОГО_ЗАПИСУ</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -"Цей параметр має використовуватися лише для перевірки завдання із оновлення " -"облікових записів комп'ютерів. Параметру слід передати цілих числа, " -"відокремлених двокрапкою («:»). Перше ціле число визначає інтервал у " -"секундах між послідовними повторними виконаннями завдання з оновлення. Друге " -"— визначає початковий час очікування на перший запуск завдання." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" -msgstr "Типове значення: 86400:750 (24 годин і 15 хвилин)" +"<command>sss_useradd</command> створює обліковий запис користувача на основі " +"значень, вказаних у командному рядку та типових значень системи." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -"Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично " -"оновити IP-адресу цього клієнта на сервері DNS Active Directory. Захист " -"оновлення буде забезпечено за допомогою GSS-TSIG. Як наслідок, " -"адміністраторові Active Directory достатньо буде дозволити оновлення безпеки " -"для зони DNS. Для оновлення буде використано IP-адресу з’єднання LDAP AD, " -"якщо цю адресу не було змінено за допомогою параметра «dyndns_iface»." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" -msgstr "Типове значення: 3600 (секунд)" +"<option>-u</option>,<option>--uid</option> <replaceable>ідентифікатор " +"користувача</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -"Типове значення: використовувати IP-адреси інтерфейсу, який використовується " -"для з’єднання LDAP AD" +"Встановити для параметра ідентифікатора користувача (UID) значення " +"<replaceable>UID</replaceable>. Якщо таке значення не буде вказано, програма " +"вибере його автоматично." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -"Визначає, наскільки часто серверний модуль має виконувати періодичні " -"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час " -"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не " -"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true. " -"Зауважте, що найменшим можливим значенням є 60 секунд. Якщо буде вказано " -"значення, яке є меншим за 60, використовуватиметься найменше можливе " -"значення." - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" -msgstr "Типове значення: True" +"<option>-c</option>,<option>--gecos</option> <replaceable>КОМЕНТАР</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " -"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " -"У прикладі продемонстровано лише параметри доступу, специфічні для засобу AD." +"Будь-який рядок тексту, що описує користувача. Часто використовується для " +"зберігання паспортного імені користувача." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +"<option>-h</option>,<option>--home</option> <replaceable>ДОМАШНІЙ_КАТАЛОГ</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Домашній каталог облікового запису користувача. Типовою назвою такого " +"каталогу є назва, що утворюється додаванням <replaceable>ІМЕНІ_КОРИСТУВАЧА</" +"replaceable> до запису <filename>/home</filename>. Рядок, який буде додано " +"перед <replaceable>ІМЕНЕМ_КОРИСТУВАЧА</replaceable>, можна визначити за " +"допомогою параметра «user_defaults/baseDirectory» у sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -"Інструмент керування доступом AD перевіряє, чи не завершено строк дії " -"облікового запису. Дає той самий результат, що і ось таке налаштовування " -"інструмента надання даних LDAP: <placeholder type=\"programlisting\" id=" -"\"0\"/>" +"<option>-s</option>,<option>--shell</option> <replaceable>ОБОЛОНКА</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -"Втім, якщо явно не налаштовано засіб надання доступу «ad», типовим засобом " -"надання доступу буде «permit». Будь ласка, зауважте, що якщо вами " -"налаштовано засіб надання доступу, відмінний від «ad», вам доведеться " -"встановлювати усі параметри з’єднання (зокрема адреси LDAP та параметри " -"шифрування) вручну." +"Командна оболонка реєстрації користувача. У поточній версії типовою " +"оболонкою є <filename>/bin/bash</filename>. Типову оболонку можна змінити за " +"допомогою параметра «user_defaults/defaultShell» у sssd.conf." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -"Якщо для засобу надання даних autofs встановлено значення <quote>ad</quote>, " -"використовується схема прив'язки атрибутів RFC2307 (nisMap, nisObject, ...), " -"оскільки ці атрибути включено до типової схеми Active Directory." +"<option>-G</option>,<option>--groups</option> <replaceable>ГРУПИ</" +"replaceable>" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" -msgstr "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "Список груп, учасником яких є користувач." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" -msgstr "Налаштовування sudo за допомогою модуля SSSD" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -"На цій сторінці підручника описано способи налаштовування <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"на роботу у комплексі з <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> та способи кешування правил sudo у " -"SSSD." +"Створити домашній каталог користувача, якщо такого ще не існує. До такого " +"домашнього каталогу буде скопійовано файли і каталоги з каркасного каталогу " +"(який можна визначити за допомогою параметра -k або запису у файлі " +"налаштувань)." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" -msgstr "Налаштовування sudo на співпрацю з SSSD" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -"Щоб увімкнути SSSD як джерело правил sudo, додайте <emphasis>sss</emphasis> " -"до запису <emphasis>sudoers</emphasis> у файлі <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Не створювати домашнього каталогу користувача. Має пріоритет над іншими " +"параметрами налаштування." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -"Наприклад, щоб налаштувати sudo на першочерговий пошук правил у стандартному " -"файлі <citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> (цей файл має містити правила, що стосуються " -"локальних користувачів), а потім у SSSD, у файлі nsswitch.conf слід вказати " -"такий рядок:" +"<option>-k</option>,<option>--skel</option> <replaceable>КАТАЛОГ_SKEL</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" -msgstr "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"Каркасний каталог, який містить файли і каталоги, які буде скопійовано до " +"домашнього каталогу користувача, коли такий домашній каталог створюється " +"командою <command>sss_useradd</command>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -"Докладніші дані щодо налаштовування порядку пошуку у sudoers за допомогою " -"файла nsswitch.conf, а також дані щодо бази даних LDAP, у якій зберігаються " -"правила sudo каталогу, можна знайти на сторінці підручника <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Спеціальні файли (блокові пристрої, символьні пристрої, іменовані канали та " +"сокети UNIX) скопійовано не буде." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -"<emphasis>Зауваження</emphasis>: щоб у правилах sudo можна було " -"використовувати мережеві групи або групи вузлів IPA, вам слід належним чином " -"налаштувати <citerefentry> <refentrytitle>nisdomainname</refentrytitle> " -"<manvolnum>1</manvolnum> </citerefentry> на назву домену NIS (назва цього " -"домену збігається з назвою домену IPA, якщо використовуються групи вузлів " -"IPA)." +"Цей параметр набуде чинності, лише якщо вказано параметр <option>-m</option> " +"(або <option>--create-home</option>) або для створення домашніх каталогів " +"вказано TRUE у налаштуваннях." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" -msgstr "Налаштовування SSSD на отримання правил sudo" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>КОРИСТУВАЧ_SELINUX</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -"На боці SSSD достатньо розширити список <emphasis>служб</emphasis> " -"дописуванням «sudo» до розділу [sssd] <citerefentry> <refentrytitle>sssd." -"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. Щоб " -"пришвидшити пошуку у LDAP, ви також можете налаштувати базу пошуку для " -"правил sudo за допомогою параметра <emphasis>ldap_sudo_search_base</" -"emphasis>." +"Користувач SELinux, що відповідає користувачеві, який увійшов до системи. " +"Якщо не вказано, буде використано типового користувача системи." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "Модуль надання даних Kerberos SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 +#: sssd-krb5.5.xml:23 msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"У наведеному нижче прикладі показано, як налаштувати SSSD на отримання " -"правил sudo з сервера LDAP." +"На цій сторінці довідника описано налаштування засобу розпізнавання Kerberos " +"5 для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Модуль розпізнавання Kerberos 5 містити засоби розпізнавання та зміни " +"паролів. З метою отримання належних результатів його слід використовувати " +"разом з інструментом обробки профілів (наприклад, id_provider = ldap). Деякі " +"з даних, потрібних для роботи модуля розпізнавання Kerberos 5, має бути " +"надано інструментом обробки профілів, серед цих даних Kerberos Principal " +"Name (UPN) або реєстраційне ім’я користувача. У налаштуваннях інструменту " +"обробки профілів має бути запис з визначенням UPN. Докладні настанови щодо " +"визначення такого UPN має бути викладено на сторінці довідника (man) " +"відповідного інструменту обробки профілів." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 +#: sssd-krb5.5.xml:47 msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> Важливо зауважити, що на платформах, де передбачено " -"підтримку systemd, немає потреби додавати засіб надання даних «sudo» до " -"списку служб, оскільки він стає необов'язковим. Втім, замість нього слід " -"увімкнути sssd-sudo.socket.</phrase>" +"У цьому інструменті керування даними також передбачено можливості керування " +"доступом, засновані на даних з файла .k5login у домашньому каталозі " +"користувача. Докладніші відомості можна отримати з підручника до " +"<citerefentry> <refentrytitle>.k5login</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>. Зауважте, що якщо файл .k5login виявиться " +"порожнім, доступ користувачеві буде заборонено. Щоб задіяти можливість " +"керування доступом, додайте рядок «access_provider = krb5» до ваших " +"налаштувань SSSD." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#: sssd-krb5.5.xml:55 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" -"Якщо SSSD налаштовано на використання IPA як засобу надання даних ID, засіб " -"надання даних sudo буде увімкнено автоматично. Базу пошуку sudo буде " -"налаштовано на використання природного для IPA дерева LDAP (cn=sudo," -"$SUFFIX). Якщо у sssd.conf буде визначено будь-яку іншу базу пошуку, " -"використовуватиметься це значення. Для використання функціональних " -"можливостей sudo у IPA потреби у дереві compat (ou=sudoers,$SUFFIX) більше " -"немає." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" -msgstr "Механізм кешування правил SUDO" +"У випадку, коли доступу до UPN у модулі профілів не передбачено, " +"<command>sssd</command> побудує UPN у форматі <replaceable>ім’я_користувача</" +"replaceable>@<replaceable>область_krb5</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" -"Найбільшою складністю під час розробки підтримки sudo у SSSD було " -"забезпечення роботи sudo з SSSD так, щоб для користувача джерело даних " -"надавало дані у один спосіб та з тією самою швидкістю, що і sudo, надаючи " -"при цьому якомога свіжіший набір правил. Щоб виконати ці умови, SSSD " -"використовує оновлення трьох типів. Будемо називати ці тип повним " -"оновленням, інтелектуальним оновленням та оновленням правил." +"Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів " +"Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути " +"впорядковано за пріоритетом. Докладніше про резервування та додаткові " +"сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може " +"бути додано номер порту (перед номером слід вписати двокрапку). Якщо " +"параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше " +"про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -"Використання типу <emphasis>інтелектуального оновлення</emphasis> полягає у " -"отриманні правил, які було додано або змінено з часу попереднього оновлення. " -"Основним призначенням оновлення такого типу є підтримання актуального стану " -"бази даних невеличкими порціями, які не спричиняють значного навантаження на " -"мережу." +"Назва області Kerberos. Цей параметр є обов’язковим, його неодмінно слід " +"вказати." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -"У разі використання <emphasis>повного оновлення</emphasis> всі правила sudo, " -"що зберігаються у кеші, буде вилучено і замінено на всі правила, які " -"зберігаються на сервері. Таким чином, кеш буде узгоджено шляхом вилучення " -"всіх правил, які було вилучено на сервері. Втім, повне оновлення може значно " -"навантажувати канал з’єднання, а отже його варто використовувати лише іноді. " -"Проміжок між сеансами повного оновлення має залежати від розміру і " -"стабільності правил sudo." +"Якщо службу зміни паролів не запущено на KDC, тут можна визначити " +"альтернативні сервери. До адрес або назв вузлів можна додати номер порту " +"(перед яким слід вписати двокрапку)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -"У разі використання типу <emphasis>оновлення правил</emphasis> " -"забезпечується ненадання користувачам ширших дозволів, ніж це було визначено " -"на сервері. Оновлення цього типу виконується під час кожного запуску " -"користувачем sudo. Під час оновлення буде виявлено всі правила, які " -"стосуються користувача, перевірено, чи не завершено строк дії цих правил, і " -"повторно отримано правила, якщо строк дії правил завершено. Якщо якихось з " -"правил не буде виявлено на сервері, SSSD виконає позачергове повне " -"оновлення, оскільки може виявитися, що було вилучено набагато більше правил " -"(які стосуються інших користувачів)." +"Додаткові відомості щодо резервних серверів можна знайти у розділі «РЕЗЕРВ». " +"Зауваження: навіть якщо список всіх серверів kpasswd буде вичерпано, модуль " +"не перемкнеться у автономний режим роботи, якщо розпізнавання за KDC " +"залишатиметься можливим." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Типове значення: використання KDC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -"Якщо увімкнено, SSSD зберігатиме лише правила, які можна застосувати до " -"цього комп’ютера. Це означає, що зберігатимуться правила, що містять у " -"атрибуті <emphasis>sudoHost</emphasis> одне з таких значень:" +"Каталог для зберігання кешу реєстраційних даних. Тут також можна " +"використовувати усі замінники з krb5_ccname_template, окрім %d та %P. " +"Каталог створюється як конфіденційний, власником є користувач, права доступу " +"— 0700." -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" -msgstr "ключове слово ALL" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Типове значення: /tmp" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" -msgstr "шаблон заміни" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (рядок)" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" -msgstr "мережеву групу (у форматі «+мережева група»)" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" -msgstr "назву вузла або повну назву у домені цього комп’ютера" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "ім'я користувача" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" -msgstr "одну з IP-адрес цього комп’ютера" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" -msgstr "одну з IP-адрес мережі (у форматі «адреса/маска»)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "ідентифікатор користувача" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 -msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -msgstr "" -"Для точного налаштовування поведінки передбачено доволі багато параметрів " -"Будь ласка, зверніться до розділу «ldap_sudo_*» у <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> та «sudo_*» у <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб ознайомитися з " -"докладним описом." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "назва реєстраційного запису" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" -msgstr "sssd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" -msgstr "Фонова служба безпеки системи" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "назва області" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 -msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" -msgstr "" -"<command>sssd</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 -msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." -msgstr "" -"У <command>SSSD</command> передбачено набір фонових служб для керування " -"доступом до віддалених каталогів та механізмами розпізнавання. " -"<command>SSSD</command> надає операційній системі інтерфейси NSS і PAM, а " -"також систему придатних для під’єднання модулів для встановлення з’єднання з " -"декількома різними джерелами даних щодо облікових записів та інтерфейс D-" -"Bus. <command>SSSD</command> також є основою для систем перевірки " -"клієнтських систем та служб обслуговування правил доступу для проєктів, " -"подібних до FreeIPA. <command>SSSD</command> надає стійкішу базу даних для " -"збереження записів локальних користувачів, а також додаткових даних щодо " -"користувачів." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "домашній каталог" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" -msgstr "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>РІВЕНЬ</" -"replaceable>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-timestamps=</option><replaceable>режим</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "значення krb5_ccachedir" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" -msgstr "" -"<emphasis>1</emphasis>: додати часову позначку до діагностичних повідомлень." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" -msgstr "" -"<emphasis>0</emphasis>: вимкнути часову позначку у діагностичних " -"повідомленнях" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "ідентифікатор процесу клієнтської частини SSSD" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" -msgstr "<option>--debug-microseconds=</option><replaceable>режим</replaceable>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "символ відсотків («%»)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" -"<emphasis>1</emphasis>: додати значення мікросекунд до часової позначки у " -"діагностичних повідомленнях" +"Розташування кешу з реєстраційними даними користувача У поточній версії " +"передбачено підтримку трьох типів кешу реєстраційних даних: <quote>FILE</" +"quote>, <quote>DIR</quote> та <quote>KEYRING:persistent</quote>. Кеш може " +"бути вказано або у форматі <replaceable>ТИП:РЕШТА</replaceable>, або у " +"форматі абсолютного шляху (тоді вважається, що типом кешу є <quote>FILE</" +"quote>). У шаблоні передбачено можливість використання таких послідовностей-" +"замінників: <placeholder type=\"variablelist\" id=\"0\"/> Якщо шаблон " +"завершується послідовністю «XXXXXX», для безпечного створення назви файла " +"використовується mkstemp(3)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" -"<emphasis>0</emphasis>: вимкнути додавання мікросекунд до часової позначки" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" -msgstr "<option>-f</option>,<option>--debug-to-files</option>" +"Якщо використовуються типи KEYRING, єдиним підтримуваним механізмом є " +"«KEYRING:persistent:%U», тобто використання сховища ключів ядра Linux для " +"зберігання реєстраційних даних на основі поділу за UID. Цей варіант є " +"рекомендованим, оскільки це найбезпечніший та найпередбачуваніший спосіб." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" -"Надіслати діагностичні дані до файлів, а не до stderr. Типово файли журналів " -"зберігаються у <filename>/var/log/sssd</filename>, передбачено також окремий " -"журнал для кожної служби і домену SSSD." +"Типове значення назви кешу реєстраційних даних буде запозичено з " +"загальносистемного профілю, що зберігається у файлі налаштувань krb5.conf, " +"розділ [libdefaults]. Назва параметра — default_ccache_name. Див. розділ " +"щодо розгортання параметрів (PARAMETER EXPANSION) у довідці щодо krb5." +"conf(5), щоб отримати додаткові дані щодо формату розгортання, використаного " +"у krb5.conf." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" -"Цей параметр вважається застарілим. Його замінено параметром <option>--" -"logger=files</option>." +"ЗАУВАЖЕННЯ: майте на увазі, що шаблон розширення ccache libkrb5 з " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> використовує інші послідовності розширення, що не " +"збігаються із використаними у SSSD." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" -msgstr "<option>--logger=</option><replaceable>значення</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Типове значення: (з libkrb5)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 -msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." -msgstr "" -"Місце, куди SSSD надсилатиме повідомлення журналу. Значення цього параметра " -"має вищий пріоритет за значення застарілого параметра <option>--debug-to-" -"files</option>. Застарілий параметр працюватиме, якщо не використано " -"параметр <option>--logger</option>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (ціле число)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" -"<emphasis>stderr</emphasis>: переспрямувати діагностичні повідомлення до " -"стандартного виведення помилок." +"Час очікування, по завершенню якого буде перервано запит щодо розпізнавання " +"або зміни пароля у мережі. Якщо це можливо, обробку запиту щодо " +"розпізнавання буде продовжено у автономному режимі." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -"<emphasis>files</emphasis>: переспрямувати діагностичні повідомлення до " -"файлів журналу. Типово файли журналів зберігаються у <filename>/var/log/" -"sssd</filename>, передбачено також окремий журнал для кожної служби і домену " -"SSSD." +"Перевірити за допомогою krb5_keytab, чи отриманий TGT не було підмінено. " +"Перевірка записів у таблиці ключів виконується послідовно. Для перевірки " +"використовується перший запис з відповідним значенням області. Якщо не буде " +"знайдено жодного відповідного області запису, буде використано останній " +"запис з таблиці ключів. Цим процесом можна скористатися для перевірки " +"середовищ за допомогою зв’язків довіри між записами областей: достатньо " +"розташувати відповідний запис таблиці ключів на останньому місці або зробити " +"його єдиним записом у файлі таблиці ключів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -"<emphasis>journald</emphasis>: переспрямувати діагностичні повідомлення до " -"systemd-journald" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" -msgstr "<option>-D</option>,<option>--daemon</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." -msgstr "Перейти у режим фонової служби після запуску." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" -msgstr "<option>-i</option>,<option>--interactive</option>" +"Розташування таблиці ключів, якою слід скористатися під час перевірки " +"реєстраційних даних, отриманих від KDC." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." -msgstr "Запустити програму у звичайному режимі, не створювати фонової служби." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Типове значення: /etc/krb5.keytab" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" -msgstr "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (булівське значення)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -"Визначити нетиповий файл налаштувань. Типовим файлом налаштувань є " -"<filename>/etc/sssd/sssd.conf</filename>. Довідку щодо синтаксису та " -"параметрів файла налаштувань можна знайти на сторінці довідника (man) " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" -msgstr "<option>-g</option>,<option>--genconf</option>" +"Зберігати пароль користувача, якщо засіб перевірки перебуває поза мережею, і " +"використовувати його для запитів TGT після встановлення з’єднання з засобом " +"перевірки." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" -"Не запускати SSSD, а лише оновити базу даних налаштувань на основі вмісту " -"<filename>/etc/sssd/sssd.conf</filename> і завершити роботу." +"Зауваження: ця можливість у поточній версії доступна лише на платформі " +"Linux. Паролі зберігатимуться у форматі звичайного тексту (без шифрування) у " +"сховищі ключів ядра, потенційно до них може отримати доступ адміністративний " +"користувач (root), але йому для цього слід буде подолати деякі перешкоди." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" -msgstr "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" -"Подібний до <quote>--genconf</quote>, але наказує програмі освіжити лише " -"окремий розділу на основі файла налаштувань. Цей параметр корисний, в " -"основному, для виклику з файлів модулів systemd з метою дозволити " -"відповідачам, які активуються з сокетів, освіжати налаштування без потреби у " -"перезапуску адміністратором усього SSSD." +"Надіслати запит щодо поновлюваного квитка з загальним строком дії, вказаним " +"за допомогою цілого числа, за яким одразу вказано одиницю часу:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" -msgstr "<option>--version</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> — секунди" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." -msgstr "Вивести номер версії і завершити роботу." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> — хвилини" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" -msgstr "Сигнали" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> — години" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" -msgstr "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> — дні." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" +"Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю " +"<emphasis>s</emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" -"Повідомляє SSSD, що слід поступово завершити роботу всіх дочірніх процесів, " -"а потім завершити роботу монітора." +"Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам " +"потрібно встановити строк дії у півтори години, слід вказати «90m», а не " +"«1h30m»." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" -msgstr "SIGHUP" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Типове значення: не встановлено, тобто TGT не є оновлюваним" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" -"Повідомляє SSSD, що слід припинити запис до файлів діагностичних даних з " -"поточними дескрипторами, закрити і повторно відкрити ці файли. Цей сигнал " -"призначено для полегшення процедури архівування журналів за допомогою " -"програм, подібних до logrotate." +"Надіслати запит щодо квитка з загальним строком дії, вказаним за допомогою " +"цілого числа, за яким одразу вказано одиницю часу:" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" -msgstr "SIGUSR1" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" +"Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю " +"<emphasis>s</emphasis>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" -"Наказує SSSD імітувати автономну дію, тривалість якої визначається " -"параметром «offline_timeout». Найкориснішим застосуванням є тестування " -"служби. Сигнал може бути надіслано або процесу sssd, або процесу sssd_be " -"безпосередньо." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" -msgstr "SIGUSR2" +"Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам " +"потрібно встановити строк дії у півтори години, слід вказати «90m», а не " +"«1h30m»." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -"Наказує SSSD перейти у режим роботи у мережі негайно. Найкориснішим " -"застосуванням є тестування служби. Сигнал може бути надіслано або процесу " -"sssd, або процесу sssd_be безпосередньо." +"Типове значення: не встановлено, тобто типовий строк дії квитка " +"визначатиметься у налаштуваннях KDC." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -"Якщо для змінної середовища SSS_NSS_USE_MEMCACHE встановлено значення «NO», " -"клієнтські програми не використовуватимуть fast у кеші у пам’яті." +"Час у секундах між двома послідовними перевірками того, чи слід оновлювати " +"записи TGT. Записи TGT оновлюються після завершення приблизно половини " +"їхнього строку дії, що задається як ціле число з наступним позначенням " +"одиниці часу:" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" -msgstr "sss_obfuscate" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" +"Якщо значення для цього параметра встановлено не буде або буде встановлено " +"значення 0, автоматичного оновлення не відбуватиметься." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" -msgstr "заплутування пароля у форматі звичайного тексту" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (рядок)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg choice='plain'><replaceable>[ПАРОЛЬ]</replaceable></" -"arg>" +"Вмикає безпечне тунелювання для гнучкого розпізнавання (flexible " +"authentication secure tunneling або FAST) для попереднього розпізнавання у " +"Kerberos. Передбачено такі варіанти:" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -"<command>sss_obfuscate</command> перетворює вказаний пароль на пароль у " -"форматі зручному для читання і розташовує його у розділі відповідного домену " -"файла налаштувань SSSD." +"<emphasis>never</emphasis> використовувати FAST, рівнозначний варіанту, за " +"якого значення цього параметра взагалі не задається." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -"Пароль у форматі звичайного тексту буде прочитано зі стандартного джерела " -"вхідних даних або введено інтерактивно. Заплутану версію пароля буде " -"збережено у параметрі з назвою «ldap_default_authtok» вказаного домену SSSD, " -"параметру «ldap_default_authtok_type» буде надано значення " -"«obfuscated_password». Докладніший опис цих параметрів можна знайти на " -"сторінці підручника (man) <citerefentry> <refentrytitle>sssd-ldap</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"<emphasis>try</emphasis> — використовувати FAST. Якщо на сервері не " +"передбачено підтримки FAST, продовжити розпізнавання без FAST." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -"Будь ласка, зауважте, що заплутування паролів <emphasis>не є справжнім " -"захистом</emphasis>, оскільки зловмисник може визначити алгоритм " -"заплутування за кодом програми. <emphasis>Наполегливо</emphasis> радимо вам " -"скористатися кращими механізмами захисту даних розпізнавання, зокрема " -"клієнтськими сертифікатами або GSSAPI." +"<emphasis>demand</emphasis> — використовувати FAST. Якщо на сервері не " +"передбачено підтримки FAST, спроба розпізнавання зазнає невдачі." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" -msgstr "<option>-s</option>,<option>--stdin</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Типове значення: не встановлено, тобто FAST не використовується." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -"Пароль для заплутування буде прочитано зі стандартного джерела вхідних даних." +"Зауваження: будь ласка, зауважте, що для використання FAST потрібна таблиця " +"ключів." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>ДОМЕН</" -"replaceable>" +"Зауваження: у SSSD передбачено підтримку FAST лише у разі використання MIT " +"Kerberos версії 1.8 або новішої. Якщо SSSD буде використано зі старішою " +"версією MIT Kerberos і цим параметром, буде повідомлено про помилку у " +"налаштуваннях." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 -msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -"Домен SSSD, для якого буде використано пароль. Типовою назвою є " -"<quote>default</quote>." +"Визначає реєстраційний запис сервера, який слід використовувати для FAST." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -"<option>-f</option>,<option>--file</option> <replaceable>ФАЙЛ</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." -msgstr "Прочитати дані з файла налаштувань, вказаного позиційним параметром." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "Типове значення: <filename>/etc/sssd/sssd.conf</filename>" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" -msgstr "sss_override" +"Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у " +"канонічну форму. Цю можливість передбачено з версії MIT Kerberos 1.7." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" -msgstr "створити локальні перевизначення атрибутів користувача і групи" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" +msgstr "krb5_kdcinfo_lookahead (рядок)" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -"<command>sss_override</command> <arg choice='plain'><replaceable>КОМАНДА</" -"replaceable></arg> <arg choice='opt'> <replaceable>параметри</replaceable> </" -"arg>" +"Якщо для krb5_use_kdcinfo встановлено значення true, ви можете обмежити " +"кількість серверів, які буде передано <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Це може бути корисним, якщо за допомогою запису " +"SRV виявляється надто багато серверів." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 +#, fuzzy +#| msgid "" +#| "The krb5_kdcinfo_lookahead option contains two numbers seperated by a " +#| "colon. The first number represents number of primary servers used and the " +#| "second number specifies the number of backup servers." msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -"<command>sss_override</command> надає змогу створювати перегляди на боці " -"клієнта і змінювати вибрані значення для певного користувача і груп. Ці " -"зміни буде застосовано лише на локальному комп'ютері." +"Параметр krb5_kdcinfo_lookahead містить два числа, які відокремлено " +"двокрапкою. Перше число визначає кількість основних серверів, а друге — " +"кількість резервних серверів." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +#, fuzzy +#| msgid "" +#| "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +#| "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. but no backup " +#| "servers." msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -"Дані перевизначень зберігаються у кеші SSSD. Якщо кеш вилучено, усі локальні " -"перевизначення буде втрачено. Будь ласка, зауважте, що після першого " -"створення перевизначення за допомогою команди <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> або " -"<emphasis>group-import</emphasis> SSSD слід перезапустити, щоб зміни набули " -"чинності. Якщо потрібен перезапуск, <emphasis>sss_override</emphasis> виведе " -"відповідне повідомлення." +"Наприклад, <emphasis>10:0</emphasis> означає «буде передано до 10 основних " +"серверів до <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>», але не буде " +"передано резервні сервери." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" -msgstr "ДОСТУПНІ КОМАНДИ" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" +msgstr "Типове значення: 3:1" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 -msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." -msgstr "" -"Аргумент <emphasis>НАЗВА</emphasis> в усіх командах є назвою початкового " -"об'єкта. Не можна перевизначити <emphasis>uid</emphasis> або <emphasis>gid</" -"emphasis> на 0." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -"<option>user-add</option> <emphasis>НАЗВА</emphasis> <optional><option>-n,--" -"name</option> НАЗВА</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> ДОМІВКА</optional> <optional><option>-" -"s,--shell</option> ОБОЛОНКА</optional> <optional><option>-c,--gecos</option> " -"GECOS</optional> <optional><option>-x,--certificate</option> СЕРТИФІКАТ У " -"КОДУВАННІ BASE64</optional>" +"Визначає, чи слід вважати реєстраційні дані користувача даними промислового " +"рівня. Див. розділ 5 RFC 6806, щоб дізнатися більше про промислові " +"реєстраційні дані." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" +msgstr "Типове значення: false (надається AD: true)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -"Перевизначити атрибути запису користувача. Будь ласка, зверніть увагу, що " -"виклик цієї команди замінить усі попередні перевизначення для вказаного за " -"назвою облікового запису користувача." +"Засіб надання даних IPA встановить для цього параметра значення «true», якщо " +"виявить, що сервер здатен обробляти реєстраційні дані промислового класу, і " +"параметр на встановлено явним чином у файлі налаштувань." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" -msgstr "<option>user-del</option> <emphasis>НАЗВА</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -"Вилучити перевизначення користувача. Втім, слід мати на увазі, що " -"перевизначені атрибути може бути повернено з кешу у пам'яті. Будь ласка, " -"ознайомтеся із документацією до параметра SSSD <emphasis>memcache_timeout</" -"emphasis>, щоб дізнатися більше." +"Список прив’язок визначається як список пар «користувач:основа», де " +"«користувач» — ім’я користувача UNIX, а «основа» — частина щодо користувача " +"у реєстраційному записі kerberos. Ця прив’язка використовується, якщо " +"користувач проходить розпізнавання із використанням «auth_provider = krb5»." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -"<option>user-find</option> <optional><option>-d,--domain</option> ДОМЕН</" -"optional>" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" -"Вивести список усіх користувачів, для яких встановлено перевизначення. Якщо " -"встановлено параметр <emphasis>ДОМЕН</emphasis>, буде показано лише " -"користувачів з відповідного домену." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" -msgstr "<option>user-show</option> <emphasis>НАЗВА</emphasis>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." -msgstr "Показати перевизначення користувача." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" -msgstr "<option>user-import</option> <emphasis>ФАЙЛ</emphasis>" +"<quote>joe</quote> і <quote>dick</quote> — імена користувачів UNIX, а " +"<quote>juser</quote> і <quote>richard</quote> основні частини реєстраційних " +"записів kerberos. Для користувачів <quote>joe</quote> та, відповідно, " +"<quote>dick</quote> SSSD намагатиметься виконати ініціалізацію kinit як " +"<quote>juser@REALM</quote> і, відповідно, <quote>richard@REALM</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Імпортувати перевизначення користувачів з файла <emphasis>ФАЙЛ</emphasis>. " -"Формат даних у файлі має бути таким самим, як у стандартному файлі passwd. " -"Приклад:" +"Якщо у домені SSSD використано auth-module krb5, має бути використано " +"вказані нижче параметри. Зверніться до сторінки довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, розділ «РОЗДІЛИ ДОМЕНІВ», щоб дізнатися більше " +"про налаштування домену SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:606 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -"початкова_назва:назва:uid:gid:gecos:домівка:оболонка:" -"сертифікат_у_кодуванні_base64" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином, а FOO є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише налаштування розпізнавання аз допомогою " +"Kerberos, там не вказано інструменту обробки профілів." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -"де «початкова_назва» — початкова назва запису користувача, чиї атрибути має " -"бути перевизначено. Решта полів відповідає новим значенням. Ви можете " -"пропустити значення, не заповнюючи відповідного поля." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" -msgstr "ckent:superman::::::" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" -msgstr "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" -msgstr "<option>user-export</option> <emphasis>ФАЙЛ</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "створення нової групи" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"Експортувати усі перевизначені атрибути і зберегти їх у файлі " -"<emphasis>ФАЙЛ</emphasis>. Див. <emphasis>user-import</emphasis>, щоб " -"дізнатися більше про формат даних." +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -"<option>group-add</option> <emphasis>НАЗВА</emphasis> <optional><option>-n,--" -"name</option> НАЗВА</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<command>sss_groupadd</command> створює групу. Такі групи є сумісними з " +"групами POSIX. Додатковою можливістю цих груп є те, що учасниками можуть " +"бути інші групи." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -"Перевизначити атрибути запису групи. Будь ласка, зверніть увагу, що виклик " -"цієї команди замінить усі попередні перевизначення для вказаної за назвою " -"групи." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" -msgstr "<option>group-del</option> <emphasis>НАЗВА</emphasis>" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#: sss_groupadd.8.xml:48 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -"Вилучити перевизначення групи. Втім, слід мати на увазі, що перевизначені " -"атрибути може бути повернено з кешу у пам'яті. Будь ласка, ознайомтеся із " -"документацією до параметра SSSD <emphasis>memcache_timeout</emphasis>, щоб " -"дізнатися більше." +"Встановити для параметра ідентифікатора групи (GID) значення " +"<replaceable>GID</replaceable>. Якщо таке значення не буде вказано, програма " +"вибере його автоматично." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "вилучення облікового запису користувача" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"<option>group-find</option> <optional><option>-d,--domain</option> ДОМЕН</" -"optional>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>НАЗВА_ОБЛІКОВОГО_ЗАПИСУ</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" -"Вивести список усіх груп, для яких встановлено перевизначення. Якщо " -"встановлено параметр <emphasis>ДОМЕН</emphasis>, буде показано лише групи з " -"відповідного домену." +"<command>sss_userdel</command> вилучає обліковий запис користувача " +"<replaceable>ІМ’Я_КОРИСТУВАЧА</replaceable> з системи." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" -msgstr "<option>group-show</option> <emphasis>НАЗВА</emphasis>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." -msgstr "Показати перевизначення групи." +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Файли у домашньому каталозі користувача буде вилучено разом з самим домашнім " +"каталогом та поштовим буфером користувача. Може бути перевизначено у " +"налаштуваннях." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" -msgstr "<option>group-import</option> <emphasis>ФАЙЛ</emphasis>" +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sss_userdel.8.xml:60 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -"Імпортувати перевизначення груп з файла <emphasis>ФАЙЛ</emphasis>. Формат " -"даних у файлі має бути таким самим, як у стандартному файлі group. Приклад:" +"Файли у домашньому каталозі користувача НЕ буде вилучено разом з самим " +"домашнім каталогом та поштовим буфером користувача. Може бути перевизначено " +"у налаштуваннях." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" -msgstr "початкова_назва:назва:gid" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_userdel.8.xml:72 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" -"де «початкова_назва» — початкова назва групи, чиї атрибути має бути " -"перевизначено. Решта полів відповідає новим значенням. Ви можете пропустити " -"значення, не заповнюючи відповідного поля." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" -msgstr "admins:administrators:" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" -msgstr "Domain Users:Users:501" +"За допомогою цього параметра можна примусити <command>sss_userdel</command> " +"вилучати домашній каталог користувача та буфер пошти, навіть якщо їхнім " +"власником не є вказаний користувач." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" -msgstr "<option>group-export</option> <emphasis>ФАЙЛ</emphasis>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 -msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -"Експортувати усі перевизначені атрибути і зберегти їх у файлі " -"<emphasis>ФАЙЛ</emphasis>. Див. <emphasis>group-import</emphasis>, щоб " -"дізнатися більше про формат даних." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" -msgstr "ЗАГАЛЬНІ ПАРАМЕТРИ" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "Ці параметри можна використовувати з усіма командами." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" -msgstr "<option>--debug</option> <replaceable>РІВЕНЬ</replaceable>" +"До вилучення запису користувача завершити роботу всіх процесів, власником " +"яких є цей користувач." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" -msgstr "sss_useradd" +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" -msgstr "створення нового запису користувача" +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "вилучення групи" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#: sss_groupdel.8.xml:21 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" "arg>" msgstr "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg " -"choice='plain'><replaceable>НАЗВА_ОБЛІКОВОГО_ЗАПИСУ</replaceable></arg>" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sss_groupdel.8.xml:32 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -"<command>sss_useradd</command> створює обліковий запис користувача на основі " -"значень, вказаних у командному рядку та типових значень системи." +"<command>sss_groupdel</command> вилучає групу, вказану за допомогою " +"аргументу <replaceable>ГРУПА</replaceable>, з системи." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" -msgstr "" -"<option>-u</option>,<option>--uid</option> <replaceable>ідентифікатор " -"користувача</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 -msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." -msgstr "" -"Встановити для параметра ідентифікатора користувача (UID) значення " -"<replaceable>UID</replaceable>. Якщо таке значення не буде вказано, програма " -"вибере його автоматично." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "показ параметрів групи" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -"<option>-c</option>,<option>--gecos</option> <replaceable>КОМЕНТАР</" -"replaceable>" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" -"Будь-який рядок тексту, що описує користувача. Часто використовується для " -"зберігання паспортного імені користувача." +"<command>sss_groupshow</command> показує дані щодо групи, вказаної за " +"назвою, <replaceable>ГРУПА</replaceable>. Серед даних буде ідентифікаційний " +"номер групи, кількість учасників групи та назва батьківської групи." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" -msgstr "" -"<option>-h</option>,<option>--home</option> <replaceable>ДОМАШНІЙ_КАТАЛОГ</" -"replaceable>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 +#: sss_groupshow.8.xml:47 msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -"Домашній каталог облікового запису користувача. Типовою назвою такого " -"каталогу є назва, що утворюється додаванням <replaceable>ІМЕНІ_КОРИСТУВАЧА</" -"replaceable> до запису <filename>/home</filename>. Рядок, який буде додано " -"перед <replaceable>ІМЕНЕМ_КОРИСТУВАЧА</replaceable>, можна визначити за " -"допомогою параметра «user_defaults/baseDirectory» у sssd.conf." +"Вивести також список непрямих учасників групи у форматі деревоподібної " +"ієрархії. Зауважте, що використання параметра також вплине на виведення " +"батьківських груп: без <option>R</option> буде виведено список лише " +"безпосередніх батьківських груп." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "зміна облікового запису користувача" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -"<option>-s</option>,<option>--shell</option> <replaceable>ОБОЛОНКА</" -"replaceable>" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ІМ’Я_КОРИСТУВАЧА</" +"replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -"Командна оболонка реєстрації користувача. У поточній версії типовою " -"оболонкою є <filename>/bin/bash</filename>. Типову оболонку можна змінити за " -"допомогою параметра «user_defaults/defaultShell» у sssd.conf." +"<command>sss_usermod</command> змінює параметри облікового запису " +"<replaceable>ІМ’Я_КОРИСТУВАЧА</replaceable> відповідно до значень, вказаних " +"у командному рядку." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" -msgstr "" -"<option>-G</option>,<option>--groups</option> <replaceable>ГРУПИ</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "Домашній каталог облікового запису користувача." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." -msgstr "Список груп, учасником яких є користувач." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "Оболонка для входу користувача до системи." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" -msgstr "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Додати запис користувача до груп, вказаних за допомогою параметра " +"<replaceable>ГРУПИ</replaceable>. Параметр <replaceable>ГРУПИ</replaceable> " +"є списком груп, відокремлених комами." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 +#: sss_usermod.8.xml:96 msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" -"Створити домашній каталог користувача, якщо такого ще не існує. До такого " -"домашнього каталогу буде скопійовано файли і каталоги з каркасного каталогу " -"(який можна визначити за допомогою параметра -k або запису у файлі " -"налаштувань)." +"Вилучає запис користувача з груп, вказаних за допомогою параметра " +"<replaceable>ГРУПИ</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" -msgstr "<option>-M</option>,<option>--no-create-home</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 -msgid "" -"Do not create the user's home directory. Overrides configuration settings." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -"Не створювати домашнього каталогу користувача. Має пріоритет над іншими " -"параметрами налаштування." +"Заблокувати обліковий запис користувача. Заблокований користувач не зможе " +"входити до системи." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 -msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" -msgstr "" -"<option>-k</option>,<option>--skel</option> <replaceable>КАТАЛОГ_SKEL</" -"replaceable>" +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 -msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Розблокувати обліковий запис користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "Ім’я користувача SELinux, що відповідає імені для входу до системи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"Каркасний каталог, який містить файли і каталоги, які буде скопійовано до " -"домашнього каталогу користувача, коли такий домашній каталог створюється " -"командою <command>sss_useradd</command>." +"<option>--addattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Додати пару атрибут-значення. Форматування: атрибут=значення." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"Спеціальні файли (блокові пристрої, символьні пристрої, іменовані канали та " -"сокети UNIX) скопійовано не буде." +"<option>--setattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sss_usermod.8.xml:152 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" -"Цей параметр набуде чинності, лише якщо вказано параметр <option>-m</option> " -"(або <option>--create-home</option>) або для створення домашніх каталогів " -"вказано TRUE у налаштуваннях." +"Встановити для вказаного за назвою атрибута значення. Форматування: " +"атрибут=значення. Для атрибутів з декількома значеннями команда призведе до " +"заміни поточних значень." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>КОРИСТУВАЧ_SELINUX</replaceable>" +"<option>--delattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 -msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." -msgstr "" -"Користувач SELinux, що відповідає користувачеві, який увійшов до системи. " -"Якщо не вказано, буде використано типового користувача системи." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Вилучити пару атрибут-значення. Форматування: атрибут=значення." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" -msgstr "sssd-krb5" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" -msgstr "Модуль надання даних Kerberos SSSD" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "виконати спорожнення кешу" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" -"На цій сторінці довідника описано налаштування засобу розпізнавання Kerberos " -"5 для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " -"зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"<command>sss_cache</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_cache.8.xml:31 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -"Модуль розпізнавання Kerberos 5 містити засоби розпізнавання та зміни " -"паролів. З метою отримання належних результатів його слід використовувати " -"разом з інструментом обробки профілів (наприклад, id_provider = ldap). Деякі " -"з даних, потрібних для роботи модуля розпізнавання Kerberos 5, має бути " -"надано інструментом обробки профілів, серед цих даних Kerberos Principal " -"Name (UPN) або реєстраційне ім’я користувача. У налаштуваннях інструменту " -"обробки профілів має бути запис з визначенням UPN. Докладні настанови щодо " -"визначення такого UPN має бути викладено на сторінці довідника (man) " -"відповідного інструменту обробки профілів." +"<command>sss_cache</command> скасовує визначення записів у кеші SSSD. Дані " +"записів зі скасованими визначеннями буде перезавантажено з сервера у " +"примусовому порядку, щойно відповідний модуль SSSD отримає до них доступ. " +"Параметри, які скасовують визначення окремого об'єкта приймають лише один " +"аргумент." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "Скасувати чинність усіх кешованих записів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>реєстраційні дані</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Скасувати визначення вказаного користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" -"У цьому інструменті керування даними також передбачено можливості керування " -"доступом, засновані на даних з файла .k5login у домашньому каталозі " -"користувача. Докладніші відомості можна отримати з підручника до " -"<citerefentry> <refentrytitle>.k5login</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>. Зауважте, що якщо файл .k5login виявиться " -"порожнім, доступ користувачеві буде заборонено. Щоб задіяти можливість " -"керування доступом, додайте рядок «access_provider = krb5» до ваших " -"налаштувань SSSD." +"Скасувати визначення всіх записів. Цей параметр має вищий пріоритет за " +"параметр скасування визначення для будь-якого користувача, якщо такий " +"параметр вказано." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" -"У випадку, коли доступу до UPN у модулі профілів не передбачено, " -"<command>sssd</command> побудує UPN у форматі <replaceable>ім’я_користувача</" -"replaceable>@<replaceable>область_krb5</replaceable>." +"<option>-g</option>,<option>--group</option> <replaceable>група</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Скасувати визначення вказаної групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -"Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів " -"Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути " -"впорядковано за пріоритетом. Докладніше про резервування та додаткові " -"сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може " -"бути додано номер порту (перед номером слід вписати двокрапку). Якщо " -"параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше " -"про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»." +"Скасувати визначення записів для всіх груп. Цей параметр має вищий пріоритет " +"за параметр скасування визначення для будь-якої групи, якщо такий параметр " +"вказано." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -"Назва області Kerberos. Цей параметр є обов’язковим, його неодмінно слід " -"вказати." +"<option>-n</option>,<option>--netgroup</option> <replaceable>мережева група</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" -msgstr "krb5_kpasswd, krb5_backup_kpasswd (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Скасувати визначення вказаної мережевої групи." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" -"Якщо службу зміни паролів не запущено на KDC, тут можна визначити " -"альтернативні сервери. До адрес або назв вузлів можна додати номер порту " -"(перед яким слід вписати двокрапку)." +"Скасувати визначення всіх записів мережевих груп. Цей параметр має вищий " +"пріоритет за параметр скасування визначення для будь-якої мережевої групи, " +"якщо такий параметр вказано." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" -"Додаткові відомості щодо резервних серверів можна знайти у розділі «РЕЗЕРВ». " -"Зауваження: навіть якщо список всіх серверів kpasswd буде вичерпано, модуль " -"не перемкнеться у автономний режим роботи, якщо розпізнавання за KDC " -"залишатиметься можливим." +"<option>-s</option>,<option>--service</option> <replaceable>служба</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" -msgstr "Типове значення: використання KDC" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Скасувати визначення вказаної служби." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "krb5_ccachedir (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" -"Каталог для зберігання кешу реєстраційних даних. Тут також можна " -"використовувати усі замінники з krb5_ccname_template, окрім %d та %P. " -"Каталог створюється як конфіденційний, власником є користувач, права доступу " -"— 0700." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" -msgstr "Типове значення: /tmp" +"Скасувати визначення всіх записів служб. Цей параметр має вищий пріоритет за " +"параметр скасування визначення для будь-якої служби, якщо такий параметр " +"вказано." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" -msgstr "krb5_ccname_template (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>карта autofs</" +"replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" -msgstr "%u" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Скасувати визначення певної карти autofs." -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" -msgstr "ім'я користувача" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" -msgstr "%U" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"Скасувати визначення всіх записів карт autofs. Цей параметр має вищий " +"пріоритет за параметр скасування визначення для будь-якої карти, якщо такий " +"параметр вказано." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" -msgstr "ідентифікатор користувача" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>назва вузла</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" -msgstr "%p" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "Скасувати чинність відкритих ключів SSH певного вузла." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" -msgstr "назва реєстраційного запису" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "<option>-H</option>,<option>--ssh-hosts</option>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" -msgstr "%r" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" +"Скасувати чинність усіх відкритих ключів SSH усіх вузлів. Цей параметр " +"перевизначає скасовування чинності ключів SSH певних вузлів, якщо для них " +"було використано таке скасовування." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" -msgstr "назва області" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>правило</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" -msgstr "%h" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "Скасувати чинність певного правила sudo." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" -msgstr "домашній каталог" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "<option>-R</option>,<option>--sudo-rules</option>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" -msgstr "%d" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" +"Скасувати визначення усіх кешованих правил sudo. Цей параметр має вищий " +"пріоритет за параметр скасування визначення для будь-якого правила sudo, " +"якщо такий параметр вказано." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" -msgstr "значення krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>домен</" +"replaceable>" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" -msgstr "%P" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Обмежити процедуру скасування визначення лише певним доменом." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" -msgstr "ідентифікатор процесу клієнтської частини SSSD" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" -msgstr "%%" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "[ЗАСТАРІЛИЙ] змінити рівень діагностики протягом сеансу роботи з SSSD" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" -msgstr "символ відсотків («%»)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>НОВИЙ_РІВЕНЬ_ДІАГНОСТИКИ</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -"Розташування кешу з реєстраційними даними користувача У поточній версії " -"передбачено підтримку трьох типів кешу реєстраційних даних: <quote>FILE</" -"quote>, <quote>DIR</quote> та <quote>KEYRING:persistent</quote>. Кеш може " -"бути вказано або у форматі <replaceable>ТИП:РЕШТА</replaceable>, або у " -"форматі абсолютного шляху (тоді вважається, що типом кешу є <quote>FILE</" -"quote>). У шаблоні передбачено можливість використання таких послідовностей-" -"замінників: <placeholder type=\"variablelist\" id=\"0\"/> Якщо шаблон " -"завершується послідовністю «XXXXXX», для безпечного створення назви файла " -"використовується mkstemp(3)." +"<command>sss_debuglevel</command> вважається застарілим, його замінено " +"командою debug-level sssctl. Будь ласка, зверніться до сторінки підручника " +"щодо <command>sssctl</command>, щоб дізнатися більше про використання sssctl." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "надсилає дані кешу SSSD щодо користувача" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" msgstr "" -"Якщо використовуються типи KEYRING, єдиним підтримуваним механізмом є " -"«KEYRING:persistent:%U», тобто використання сховища ключів ядра Linux для " -"зберігання реєстраційних даних на основі поділу за UID. Цей варіант є " -"рекомендованим, оскільки це найбезпечніший та найпередбачуваніший спосіб." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>ДОМЕН</replaceable></" +"arg> <arg choice='plain'>-n <replaceable>КОРИСТУВАЧ</replaceable></arg>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" -"Типове значення назви кешу реєстраційних даних буде запозичено з " -"загальносистемного профілю, що зберігається у файлі налаштувань krb5.conf, " -"розділ [libdefaults]. Назва параметра — default_ccache_name. Див. розділ " -"щодо розгортання параметрів (PARAMETER EXPANSION) у довідці щодо krb5." -"conf(5), щоб отримати додаткові дані щодо формату розгортання, використаного " -"у krb5.conf." +"<command>sss_seed</command> розповсюджує кеш SSSD з записом користувача і " +"тимчасовим паролем. Якщо запис користувача вже є у кеші SSSD, запис буде " +"оновлено зі встановленням тимчасового пароля." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -"ЗАУВАЖЕННЯ: майте на увазі, що шаблон розширення ccache libkrb5 з " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> використовує інші послідовності розширення, що не " -"збігаються із використаними у SSSD." +"<option>-D</option>,<option>--domain</option> <replaceable>ДОМЕН</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" -msgstr "Типове значення: (з libkrb5)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Визначає назву домену, учасником якого є користувач. Домен використовується " +"для отримання даних щодо користувачів. Домен має бути налаштовано у sssd." +"conf. Має бути надано аргумент <replaceable>ДОМЕН</replaceable>. Дані, " +"отримані з домену, матимуть вищий пріоритет за дані, вказані за допомогою " +"параметрів." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" -msgstr "krb5_auth_timeout (ціле число)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>КОРИСТУВАЧ</" +"replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" -"Час очікування, по завершенню якого буде перервано запит щодо розпізнавання " -"або зміни пароля у мережі. Якщо це можливо, обробку запиту щодо " -"розпізнавання буде продовжено у автономному режимі." +"Ім’я користувача, запис якого слід створити або змінити у кеші. Має бути " +"вказано аргумент <replaceable>КОРИСТУВАЧ</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" -msgstr "krb5_validate (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Встановити UID користувача у значення <replaceable>UID</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Встановити GID користувача у значення <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" -"Перевірити за допомогою krb5_keytab, чи отриманий TGT не було підмінено. " -"Перевірка записів у таблиці ключів виконується послідовно. Для перевірки " -"використовується перший запис з відповідним значенням області. Якщо не буде " -"знайдено жодного відповідного області запису, буде використано останній " -"запис з таблиці ключів. Цим процесом можна скористатися для перевірки " -"середовищ за допомогою зв’язків довіри між записами областей: достатньо " -"розташувати відповідний запис таблиці ключів на останньому місці або зробити " -"його єдиним записом у файлі таблиці ключів." +"Встановити домашній каталог користувача у значення " +"<replaceable>ДОМАШНІЙ_КАТАЛОГ</replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" -msgstr "krb5_keytab (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Встановити оболонку реєстрації користувача у значення <replaceable>ОБОЛОНКА</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" -"Розташування таблиці ключів, якою слід скористатися під час перевірки " -"реєстраційних даних, отриманих від KDC." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" -msgstr "Типове значення: /etc/krb5.keytab" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" -msgstr "krb5_store_password_if_offline (булівське значення)" +"Інтерактивний режим для введення даних користувача. У разі використання " +"цього параметра програма надсилатиме запит лише щодо даних, які не було " +"отримано з параметрів команди або домену." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" -"Зберігати пароль користувача, якщо засіб перевірки перебуває поза мережею, і " -"використовувати його для запитів TGT після встановлення з’єднання з засобом " -"перевірки." +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>ФАЙЛ_ПАРОЛІВ</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" -"Зауваження: ця можливість у поточній версії доступна лише на платформі " -"Linux. Паролі зберігатимуться у форматі звичайного тексту (без шифрування) у " -"сховищі ключів ядра, потенційно до них може отримати доступ адміністративний " -"користувач (root), але йому для цього слід буде подолати деякі перешкоди." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" -msgstr "krb5_renewable_lifetime (рядок)" +"Вказати файл, звідки слід читати дані щодо паролів користувачів. Якщо пароль " +"не буде знайдено, програма надішле запит на його введення." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" -"Надіслати запит щодо поновлюваного квитка з загальним строком дії, вказаним " -"за допомогою цілого числа, за яким одразу вказано одиницю часу:" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" -msgstr "<emphasis>s</emphasis> — секунди" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" -msgstr "<emphasis>m</emphasis> — хвилини" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" -msgstr "<emphasis>h</emphasis> — години" +"Довжина пароля (або розмір файла, визначеного за допомогою параметра -p або " +"--password-file) має бути меншою або рівною PASS_MAX байтів (64 байти у " +"системах без визначеного на загальному рівні значення PASS_MAX)." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." -msgstr "<emphasis>d</emphasis> — дні." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." -msgstr "" -"Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю " -"<emphasis>s</emphasis>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "Відповідач InfoPipe SSSD" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам " -"потрібно встановити строк дії у півтори години, слід вказати «90m», а не " -"«1h30m»." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" -msgstr "Типове значення: не встановлено, тобто TGT не є оновлюваним" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" -msgstr "krb5_lifetime (рядок)" +"На цій сторінці довідника описано налаштування засобу надання відповідей " +"InfoPipe для <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис " +"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -"Надіслати запит щодо квитка з загальним строком дії, вказаним за допомогою " -"цілого числа, за яким одразу вказано одиницю часу:" +"Відповідач InfoPipe забезпечує роботу відкритого інтерфейсу D-Bus над " +"системним каналом повідомлень. За допомогою цього інтерфейсу користувачі " +"можуть надсилати загальносистемним каналом повідомлень запити щодо " +"інформації про віддалених користувачів і групи." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" -"Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю " -"<emphasis>s</emphasis>." +"Цими параметрами можна скористатися для налаштовування відповідача InfoPipe." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -"Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам " -"потрібно встановити строк дії у півтори години, слід вказати «90m», а не " -"«1h30m»." +"Визначає список значень UID або імен користувачів, відокремлених комами. " +"Користувачам з цього списку буде дозволено доступ до відповідача InfoPipe. " +"UID за іменами користувачів визначатимуться під час запуску." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" -"Типове значення: не встановлено, тобто типовий строк дії квитка " -"визначатиметься у налаштуваннях KDC." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" -msgstr "krb5_renew_interval (рядок)" +"Типове значення: 0 (доступ до відповідача InfoPipe має лише адміністративний " +"користувач (root))" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -"Час у секундах між двома послідовними перевірками того, чи слід оновлювати " -"записи TGT. Записи TGT оновлюються після завершення приблизно половини " -"їхнього строку дії, що задається як ціле число з наступним позначенням " -"одиниці часу:" +"Будь ласка, зауважте, що хоча типово використовується UID 0, значення UID " +"буде перевизначено на основі цього параметра. Якщо ви хочете надати " +"адміністративному користувачеві (root) доступ до відповідача InfoPipe, що " +"може бути типовим варіантом, вам слід додати до списку UID з правами доступу " +"запис 0." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -"Якщо значення для цього параметра встановлено не буде або буде встановлено " -"значення 0, автоматичного оновлення не відбуватиметься." +"Визначає список атрибутів з «білого» або «чорного» списків, відокремлених " +"комами." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "реєстраційне ім’я користувача" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "ідентифікатор користувача" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "ідентифікатор основної групи" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "дані щодо користувача, типово ім’я повністю" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" -msgstr "krb5_use_fast (рядок)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 -msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" -msgstr "" -"Вмикає безпечне тунелювання для гнучкого розпізнавання (flexible " -"authentication secure tunneling або FAST) для попереднього розпізнавання у " -"Kerberos. Передбачено такі варіанти:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 -msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." -msgstr "" -"<emphasis>never</emphasis> використовувати FAST, рівнозначний варіанту, за " -"якого значення цього параметра взагалі не задається." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "командна оболонка користувача" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -"<emphasis>try</emphasis> — використовувати FAST. Якщо на сервері не " -"передбачено підтримки FAST, продовжити розпізнавання без FAST." +"Типово, відповідач InfoPipe надає дані лише щодо типового набору атрибутів " +"POSIX. Цей набір є тим самим, який повертає програма <citerefentry> " +"<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>, його елементи: <placeholder type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." -msgstr "" -"<emphasis>demand</emphasis> — використовувати FAST. Якщо на сервері не " -"передбачено підтримки FAST, спроба розпізнавання зазнає невдачі." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." -msgstr "Типове значення: не встановлено, тобто FAST не використовується." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" -"Зауваження: будь ласка, зауважте, що для використання FAST потрібна таблиця " -"ключів." +"user_attributes = +telephoneNumber, -loginShell\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Зауваження: у SSSD передбачено підтримку FAST лише у разі використання MIT " -"Kerberos версії 1.8 або новішої. Якщо SSSD буде використано зі старішою " -"версією MIT Kerberos і цим параметром, буде повідомлено про помилку у " -"налаштуваннях." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" -msgstr "krb5_fast_principal (рядок)" +"Ви можете додати інший атрибут до цього набору за допомогою параметра " +"«+назва_атрибута» або явним чином виключити атрибут за допомогою параметра «-" +"назва_атрибута». Наприклад, щоб дозволити «telephoneNumber», але заборонити " +"«loginShell», вам слід скористатися такими налаштуваннями: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" -"Визначає реєстраційний запис сервера, який слід використовувати для FAST." +"Типове значення: не встановлено. Дозволено лише типовий набір атрибутів " +"POSIX." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -"Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у " -"канонічну форму. Цю можливість передбачено з версії MIT Kerberos 1.7." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" -msgstr "krb5_kdcinfo_lookahead (рядок)" +"Визначає верхню межу для кількості записів, які отримуватимуться під час " +"пошуку з використанням символів-замінників, які перевизначають обмеження, " +"яке накладається функцією виклику." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 -msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -"Якщо для krb5_use_kdcinfo встановлено значення true, ви можете обмежити " -"кількість серверів, які буде передано <citerefentry> " -"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>. Це може бути корисним, якщо за допомогою запису " -"SRV виявляється надто багато серверів." +"Типове значення: 0 (дозволити встановлювати верхнє обмеження функції виклику)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 -#, fuzzy -#| msgid "" -#| "The krb5_kdcinfo_lookahead option contains two numbers seperated by a " -#| "colon. The first number represents number of primary servers used and the " -#| "second number specifies the number of backup servers." +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" -"Параметр krb5_kdcinfo_lookahead містить два числа, які відокремлено " -"двокрапкою. Перше число визначає кількість основних серверів, а друге — " -"кількість резервних серверів." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Розробник (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Розробник (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 -#, fuzzy -#| msgid "" -#| "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -#| "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. but no backup " -#| "servers." -msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." -msgstr "" -"Наприклад, <emphasis>10:0</emphasis> означає «буде передано до 10 основних " -"серверів до <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>», але не буде " -"передано резервні сервери." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "sss_rpcidmapd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" -msgstr "Типове значення: 3:1" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "Директиви налаштовування додатка sss для rpc.idmapd" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" -msgstr "krb5_use_enterprise_principal (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "ФАЙЛ НАЛАШТУВАНЬ" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -"Визначає, чи слід вважати реєстраційні дані користувача даними промислового " -"рівня. Див. розділ 5 RFC 6806, щоб дізнатися більше про промислові " -"реєстраційні дані." +"Файл налаштувань rpc.idmapd зазвичай зберігається тут: <emphasis>/etc/idmapd." +"conf</emphasis>. Див. підручник з <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися " +"більше." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" -msgstr "Типове значення: false (надається AD: true)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "РОЗШИРЕННЯ НАЛАШТОВУВАННЯ SSS" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "Вмикання додатка SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -"Засіб надання даних IPA встановить для цього параметра значення «true», якщо " -"виявить, що сервер здатен обробляти реєстраційні дані промислового класу, і " -"параметр на встановлено явним чином у файлі налаштувань." +"У розділі «[Translation]» змініть або додайте атрибут «Method» із вмістом " +"<emphasis>sss</emphasis>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" -msgstr "krb5_map_user (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "Розділ налаштовування [sss]" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -"Список прив’язок визначається як список пар «користувач:основа», де " -"«користувач» — ім’я користувача UNIX, а «основа» — частина щодо користувача " -"у реєстраційному записі kerberos. Ця прив’язка використовується, якщо " -"користувач проходить розпізнавання із використанням «auth_provider = krb5»." +"Якщо вам потрібно змінити типове значення одного з атрибутів налаштувань, " +"перелічених нижче, додатка <emphasis>sss</emphasis>, вам слід створити " +"розділ налаштувань для нього з назвою «[sss]»." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "Атрибути налаштувань" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "memcache (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "Визначає, чи слід використовувати методику оптимізації кешу у пам’яті." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "ІНТЕГРАЦІЯ З SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +"Додаток sss потребує вмикання <emphasis>Відповідача NSS</emphasis> у sssd." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -"<quote>joe</quote> і <quote>dick</quote> — імена користувачів UNIX, а " -"<quote>juser</quote> і <quote>richard</quote> основні частини реєстраційних " -"записів kerberos. Для користувачів <quote>joe</quote> та, відповідно, " -"<quote>dick</quote> SSSD намагатиметься виконати ініціалізацію kinit як " -"<quote>juser@REALM</quote> і, відповідно, <quote>richard@REALM</quote>." +"Атрибут «use_fully_qualified_names» має бути увімкнено для усіх доменів " +"(клієнти NFSv4 очікують на те, що надсилається назва повністю)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" msgstr "" -"Якщо у домені SSSD використано auth-module krb5, має бути використано " -"вказані нижче параметри. Зверніться до сторінки довідника (man) " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>, розділ «РОЗДІЛИ ДОМЕНІВ», щоб дізнатися більше " -"про налаштування домену SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" +"[General]\n" +"Verbosity = 2\n" +"# домен має бути синхронізовано між сервером NFSv4 та клієнтами\n" +"# У Solaris/Illumos/AIX типово використовується \"локальний домен\"!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sss_rpcidmapd.5.xml:100 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " -"чином, а FOO є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " -"У прикладі продемонстровано лише налаштування розпізнавання аз допомогою " -"Kerberos, там не вказано інструменту обробки профілів." +"У наведеному нижче прикладі показано мінімальний вигляд idmapd.conf, де " +"використовується додаток sss. <placeholder type=\"programlisting\" id=\"0\"/" +">" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 -#, no-wrap +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "ТАКОЖ ПЕРЕГЛЯНЬТЕ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" -msgstr "sss_groupadd" +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" -msgstr "створення нової групи" +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "отримати уповноважені ключі OpenSSH" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#: sss_ssh_authorizedkeys.1.xml:21 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" -"arg>" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>параметри</replaceable> </arg> <arg " +"choice='plain'><replaceable>КОРИСТУВАЧ</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 -msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." -msgstr "" -"<command>sss_groupadd</command> створює групу. Такі групи є сумісними з " -"групами POSIX. Додатковою можливістю цих груп є те, що учасниками можуть " -"бути інші групи." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +#: sss_ssh_authorizedkeys.1.xml:32 msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +"<command>sss_ssh_authorizedkeys</command> отримує відкриті ключі SSH для " +"користувача <replaceable>КОРИСТУВАЧ</replaceable> і виводить їх у форматі " +"authorized_keys OpenSSH (щоб дізнатися більше, див. розділ <quote>ФОРМАТ " +"ФАЙЛІВ AUTHORIZED_KEYS</quote> на сторінці підручника (man) з " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry>)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -"Встановити для параметра ідентифікатора групи (GID) значення " -"<replaceable>GID</replaceable>. Якщо таке значення не буде вказано, програма " -"вибере його автоматично." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" -msgstr "sss_userdel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" -msgstr "вилучення облікового запису користувача" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> можна налаштувати на використання " +"<command>sss_ssh_authorizedkeys</command> для розпізнавання користувачів за " +"відкритими ключами, якщо програму зібрано із підтримкою параметра " +"<quote>AuthorizedKeysCommand</quote>. Будь ласка, зверніться до сторінки " +"підручника <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>, щоб дізнатися більше про цей " +"параметр." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg " -"choice='plain'><replaceable>НАЗВА_ОБЛІКОВОГО_ЗАПИСУ</replaceable></arg>" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#: sss_ssh_authorizedkeys.1.xml:52 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -"<command>sss_userdel</command> вилучає обліковий запис користувача " -"<replaceable>ІМ’Я_КОРИСТУВАЧА</replaceable> з системи." +"Якщо передбачено підтримку <quote>AuthorizedKeysCommand</quote>, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> можна налаштувати на використання ключів за допомогою таких " +"інструкцій у <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" -msgstr "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "КЛЮЧІ З СЕРТИФІКАТІВ" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -"Файли у домашньому каталозі користувача буде вилучено разом з самим домашнім " -"каталогом та поштовим буфером користувача. Може бути перевизначено у " -"налаштуваннях." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" -msgstr "<option>-R</option>,<option>--no-remove</option>" +"Окрім відкрити ключів SSH для користувача <replaceable>КОРИСТУВАЧ</" +"replaceable>, <command>sss_ssh_authorizedkeys</command> може повертати ключі " +"SSH, які походять від відкритого ключа сертифіката X.509." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -"Файли у домашньому каталозі користувача НЕ буде вилучено разом з самим " -"домашнім каталогом та поштовим буфером користувача. Може бути перевизначено " -"у налаштуваннях." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" -msgstr "<option>-f</option>,<option>--force</option>" +"Щоб уможливити це, слід встановити для параметра " +"<quote>ssh_use_certificate_keys</quote> значення true (типове значення) у " +"розділі [ssh] файла <filename>sssd.conf</filename>. Якщо запис користувача " +"містить сертифікати (див <quote>ldap_user_certificate</quote> на сторінці " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>, щоб дізнатися більше) або існує сертифікат у " +"записі перевизначення для користувача (див. " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> або <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry>, щоб дізнатися " +"більше), а сертифікат є чинним, SSSD видобуде відкритий ключі з сертифіката " +"і перетворить його до формату, який може використовувати sshd." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 -msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -"За допомогою цього параметра можна примусити <command>sss_userdel</command> " -"вилучати домашній каталог користувача та буфер пошти, навіть якщо їхнім " -"власником не є вказаний користувач." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" -msgstr "<option>-k</option>,<option>--kick</option>" +"Окрім <quote>ssh_use_certificate_keys</quote>, може бути використано " +"параметри" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." -msgstr "" -"До вилучення запису користувача завершити роботу всіх процесів, власником " -"яких є цей користувач." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "ca_db" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" -msgstr "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "p11_child_timeout" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" -msgstr "вилучення групи" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "certificate_verification" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" -"arg>" +"для керування способом встановлення чинності сертифікатів (докладніше див. " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -"<command>sss_groupdel</command> вилучає групу, вказану за допомогою " -"аргументу <replaceable>ГРУПА</replaceable>, з системи." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" -msgstr "sss_groupshow" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" -msgstr "показ параметрів групи" +"Перевірка чинності є перевагою використання сертифікатів X.509 замість " +"ключів SSH безпосередньо, оскільки, наприклад, це поліпшує можливості " +"керування часом придатності ключів. Якщо клієнт ssh налаштовано не " +"використання закритих ключів з смарткартки за допомогою бібліотеки PKCS#11 " +"спільного використання (див. <citerefentry><refentrytitle>ssh</" +"refentrytitle> <manvolnum>1</manvolnum></citerefentry>, щоб дізнатися " +"більше), може дратувати те, що розпізнавання залишається працездатним, " +"навіть якщо пов'язаний із ним сертифікат X.509 на смарткартці вже втратив " +"чинність, оскільки ні <command>ssh</command>, ні <command>sshd</command> не " +"братимуть сертифікат до уваги взагалі." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" -"arg>" +"Слід зауважити, що похідний відкритий ключ SSH все одно можна додати до " +"файла <filename>authorized_keys</filename> користувача, щоб обійти перевірку " +"чинності сертифіката, якщо налаштування <command>sshd</command> надають " +"змогу це робити." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"<command>sss_groupshow</command> показує дані щодо групи, вказаної за " -"назвою, <replaceable>ГРУПА</replaceable>. Серед даних буде ідентифікаційний " -"номер групи, кількість учасників групи та назва батьківської групи." +"Шукати відкриті ключі користувачів у домені SSSD <replaceable>ДОМЕН</" +"replaceable>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" -msgstr "<option>-R</option>,<option>--recursive</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "СТАН ВИХОДУ" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -"Вивести також список непрямих учасників групи у форматі деревоподібної " -"ієрархії. Зауважте, що використання параметра також вплине на виведення " -"батьківських груп: без <option>R</option> буде виведено список лише " -"безпосередніх батьківських груп." +"У випадку успіху значення стану виходу дорівнює 0. У всіх інших випадках " +"програма повертає 1." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" -msgstr "sss_usermod" +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" -msgstr "зміна облікового запису користувача" +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "отримати ключі вузла OpenSSH" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg choice='plain'><replaceable>ІМ’Я_КОРИСТУВАЧА</" -"replaceable></arg>" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>параметри</replaceable> </arg> <arg " +"choice='plain'><replaceable>ВУЗОЛ</replaceable></arg> <arg " +"choice='opt'><replaceable>КОМАНДА_ПРОКСІ</replaceable></arg>" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" -"<command>sss_usermod</command> змінює параметри облікового запису " -"<replaceable>ІМ’Я_КОРИСТУВАЧА</replaceable> відповідно до значень, вказаних " -"у командному рядку." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." -msgstr "Домашній каталог облікового запису користувача." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." -msgstr "Оболонка для входу користувача до системи." +"<command>sss_ssh_knownhostsproxy</command> отримує відкриті ключі вузла SSH " +"для вузла <replaceable>ВУЗОЛ</replaceable>, зберігає їх до нетипового файла " +"OpenSSH known_hosts (щоб дізнатися більше, ознайомтеся з розділом " +"<quote>ФОРМАТ ФАЙЛІВ SSH_KNOWN_HOSTS</quote> сторінки підручника (man) " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry>) за адресою <filename>/var/lib/sss/pubconf/known_hosts</" +"filename> і встановлює з’єднання з вузлом." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -"Додати запис користувача до груп, вказаних за допомогою параметра " -"<replaceable>ГРУПИ</replaceable>. Параметр <replaceable>ГРУПИ</replaceable> " -"є списком груп, відокремлених комами." +"Якщо вказано параметр <replaceable>КОМАНДА_ПРОКСІ</replaceable>, замість " +"відкриття сокета для створення з’єднання буде використано відповідну команду." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -"Вилучає запис користувача з груп, вказаних за допомогою параметра " -"<replaceable>ГРУПИ</replaceable>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" -msgstr "<option>-l</option>,<option>--lock</option>" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Заблокувати обліковий запис користувача. Заблокований користувач не зможе " -"входити до системи." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" -msgstr "<option>-u</option>,<option>--unlock</option>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." -msgstr "Розблокувати обліковий запис користувача." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." -msgstr "Ім’я користувача SELinux, що відповідає імені для входу до системи." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> можна налаштувати на використання " +"<command>sss_ssh_knownhostsproxy</command> для розпізнавання вузлів за " +"ключами за допомогою таких інструкцій у налаштуваннях " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry>: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -"<option>--addattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" +"<option>-p</option>,<option>--port</option> <replaceable>ПОРТ</replaceable>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." -msgstr "Додати пару атрибут-значення. Форматування: атрибут=значення." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -"<option>--setattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" +"Використовувати для встановлення з’єднання з вузлом порт <replaceable>ПОРТ</" +"replaceable>. Типовим портом є порт 22." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sss_ssh_knownhostsproxy.1.xml:83 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -"Встановити для вказаного за назвою атрибута значення. Форматування: " -"атрибут=значення. Для атрибутів з декількома значеннями команда призведе до " -"заміни поточних значень." +"Шукати відкриті ключі вузлів у домені SSSD <replaceable>ДОМЕН</replaceable>." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" -msgstr "" -"<option>--delattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" +msgstr "<option>-k</option>,<option>--pubkey</option>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." -msgstr "Вилучити пару атрибут-значення. Форматування: атрибут=значення." +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "Вивести відкриті ключі SSH для вузла <replaceable>HOST</replaceable>." #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" -msgstr "sss_cache" +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "idmap_sss" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" -msgstr "виконати спорожнення кешу" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" -msgstr "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg>" +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "Модуль idmap_sss SSSD для Winbind" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#: idmap_sss.8.xml:22 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -"<command>sss_cache</command> скасовує визначення записів у кеші SSSD. Дані " -"записів зі скасованими визначеннями буде перезавантажено з сервера у " -"примусовому порядку, щойно відповідний модуль SSSD отримає до них доступ. " -"Параметри, які скасовують визначення окремого об'єкта приймають лише один " -"аргумент." +"Модуль idmap_sss надає змогу викликати SSSD для прив'язки UID/GID і SID. У " +"цьому випадку база даних не потрібна, оскільки прив'язка виконується " +"засобами SSSD." + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "ПАРАМЕТРИ IDMAP" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" -msgstr "<option>-E</option>,<option>--everything</option>" +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "діапазон = нижче - вище" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." -msgstr "Скасувати чинність усіх кешованих записів." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 +#: idmap_sss.8.xml:35 msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -"<option>-u</option>,<option>--user</option> <replaceable>реєстраційні дані</" -"replaceable>" +"Визначає доступний для обробки модулем діапазон відповідності UID і GID." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." -msgstr "Скасувати визначення вказаного користувача." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" +"У цьому прикладі продемонстровано налаштовування idmap_sss як типового " +"модуля прив'язки." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" -msgstr "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " +msgstr "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -"Скасувати визначення всіх записів. Цей параметр має вищий пріоритет за " -"параметр скасування визначення для будь-якого користувача, якщо такий " -"параметр вказано." +"Будь ласка, замініть <AD-DOMAIN-SHORTNAME> на назву домену у NetBIOS " +"домену AD. Якщо має бути використано декілька доменів AD, для кожного домену " +"потрібен рядок <literal>idmap config</literal> із <literal>backend = sss</" +"literal> і рядок із відповідним <literal>range</literal>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -"<option>-g</option>,<option>--group</option> <replaceable>група</replaceable>" +"Оскільки для Winbind потрібен придатний до запису типовий модуль, а " +"idmap_sss є придатним лише для читання, до прикладу включено як типовий " +"модуль <literal>backend = tdb</literal>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." -msgstr "Скасувати визначення вказаної групи." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "sssctl" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" -msgstr "<option>-G</option>,<option>--groups</option>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "Засіб керування і визначення стану SSSD" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -"Скасувати визначення записів для всіх груп. Цей параметр має вищий пріоритет " -"за параметр скасування визначення для будь-якої групи, якщо такий параметр " -"вказано." +"<command>sssctl</command> <arg choice='plain'><replaceable>КОМАНДА</" +"replaceable></arg> <arg choice='opt'> <replaceable>параметри</replaceable> </" +"arg>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>мережева група</" -"replaceable>" +"<command>sssctl</command> є простим і уніфікованим засобом отримання даних " +"щодо стану SSSD, зокрема активного сервера, серверів автоматичного " +"визначення, доменів і кешованих об'єктів. Крім того, програма здатна " +"керувати файлами даних SSSD для усування вад у такий спосіб, щоб з ними " +"можна було безпечно працювати, доки працює SSSD." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." -msgstr "Скасувати визначення вказаної мережевої групи." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" +"Щоб ознайомитися зі списком усіх доступних команд, віддайте команду " +"<command>sssctl</command> без параметрів. Щоб програма вивела довідкове " +"повідомлення щодо певної команди, віддайте команду <command>sssctl КОМАНДА --" +"help</command>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" -msgstr "<option>-N</option>,<option>--netgroups</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "sssd-files" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "Засіб надання файлів SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Скасувати визначення всіх записів мережевих груп. Цей параметр має вищий " -"пріоритет за параметр скасування визначення для будь-якої мережевої групи, " -"якщо такий параметр вказано." +"На цій сторінці довідника описано налаштування засобу обробки файлів для " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " +"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -"<option>-s</option>,<option>--service</option> <replaceable>служба</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." -msgstr "Скасувати визначення вказаної служби." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" -msgstr "<option>-S</option>,<option>--services</option>" +"Засіб надання даних файлів створює дзеркальну копію вмісту файлів " +"<citerefentry> <refentrytitle>passwd</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> і <citerefentry> <refentrytitle>group</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. Метою роботи засобу " +"надання даних файлів є забезпечення доступу до даних користувачів і груп, " +"які традиційно доступні за допомогою інтерфейсів NSS, також за допомогою " +"інтерфейсів SSSD, зокрема <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"Another reason is to provide efficient caching of local users and groups." msgstr "" -"Скасувати визначення всіх записів служб. Цей параметр має вищий пріоритет за " -"параметр скасування визначення для будь-якої служби, якщо такий параметр " -"вказано." +"Іншою причиною може бути потреба у забезпеченні ефективного кешування даних " +"локальних користувачів і груп." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>карта autofs</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." -msgstr "Скасувати визначення певної карти autofs." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" -msgstr "<option>-A</option>,<option>--autofs-maps</option>" +"Будь ласка, зауважте, що у деяких дистрибутивах домен files увімкнено " +"автоматично, оскільки цей домен додано до будь-якого із явно визначених " +"доменів. Див. enable_files_domain у <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" -"Скасувати визначення всіх записів карт autofs. Цей параметр має вищий " -"пріоритет за параметр скасування визначення для будь-якої карти, якщо такий " -"параметр вказано." +"SSSD ніколи не виконує визначення для користувача або групи «root». Крім " +"того, SSSD не обробляє запити щодо визначення UID/GID 0. Такі запити " +"передаються наступному модулю NSS (зазвичай, files)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>назва вузла</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." -msgstr "Скасувати чинність відкритих ключів SSH певного вузла." +"Якщо SSSD не запущено або програма не відповідає, nss_sss повертає код " +"UNAVAIL, що спричиняє передавання запиту наступному модулю." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" -msgstr "<option>-H</option>,<option>--ssh-hosts</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" +msgstr "passwd_files (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:99 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"Скасувати чинність усіх відкритих ключів SSH усіх вузлів. Цей параметр " -"перевизначає скасовування чинності ключів SSH певних вузлів, якщо для них " -"було використано таке скасовування." +"Список з однієї чи декількох відокремлених комами назв файлів паролів, які " +"слід прочитати і нумерувати засобу надання даних файлів. Для кожного " +"вказаного файла буде встановлено спостереження за допомогою inotify для " +"динамічного виявлення внесених до нього змін." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" +msgstr "Типове значення: /etc/passwd" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:111 +msgid "group_files (string)" +msgstr "group_files (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:114 msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>правило</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." -msgstr "Скасувати чинність певного правила sudo." +"Список з однієї чи декількох відокремлених комами назв файлів груп, які слід " +"прочитати і нумерувати засобу надання даних файлів. Для кожного вказаного " +"файла буде встановлено спостереження за допомогою inotify для динамічного " +"виявлення внесених до нього змін." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" -msgstr "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "Типове значення: /etc/group" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Скасувати визначення усіх кешованих правил sudo. Цей параметр має вищий " -"пріоритет за параметр скасування визначення для будь-якого правила sudo, " -"якщо такий параметр вказано." +"Окрім параметрів із наведеного нижче списку, можна встановлювати, де це є " +"відповідним, загальні параметри домену SSSD. Зверніться до розділу " +"<quote>РОЗДІЛИ ДОМЕНІВ</quote> сторінки підручника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, щоб дізнатися більше про налаштовування домені SSSD. Втім, " +"призначенням надавача даних files є надання тих самих даних, які " +"встановлюються для файлів UNIX, просто за допомогою інтерфейсів SSSD. Тому " +"передбачено підтримку не усіх загальних параметрів доменів. Так само, деякі " +"загальні параметри, зокрема перевизначення командної оболонки у розділі " +"<quote>nss</quote> для усіх доменів, ні на що не впливають у домені files, " +"якщо їх не вказано явним чином для окремих доменів. <placeholder type=" +"\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -"<option>-d</option>,<option>--domain</option> <replaceable>домен</" -"replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." -msgstr "Обмежити процедуру скасування визначення лише певним доменом." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" -msgstr "sss_debuglevel" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" -msgstr "[ЗАСТАРІЛИЙ] змінити рівень діагностики протягом сеансу роботи з SSSD" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином, а files встановлено на один з доменів з розділу <replaceable>[sssd]</" +"replaceable>." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"[domain/files]\n" +"id_provider = files\n" msgstr "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg " -"choice='plain'><replaceable>НОВИЙ_РІВЕНЬ_ДІАГНОСТИКИ</replaceable></arg>" +"[domain/files]\n" +"id_provider = files\n" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#: sssd-files.5.xml:143 msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -"<command>sss_debuglevel</command> вважається застарілим, його замінено " -"командою debug-level sssctl. Будь ласка, зверніться до сторінки підручника " -"щодо <command>sssctl</command>, щоб дізнатися більше про використання sssctl." +"Для балансування кешування даних локальних користувачів та груп у SSSD " +"модуль nss_sss має перебувати у списку файла /etc/nsswitch.conf вище за " +"модуль nss_files." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap +msgid "" +"passwd: sss files\n" +"group: sss files\n" +msgstr "" +"passwd: sss files\n" +"group: sss files\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" -msgstr "sss_seed" +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "sssd-secrets" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" -msgstr "надсилає дані кешу SSSD щодо користувача" - -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 -msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" -msgstr "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>параметри</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>ДОМЕН</replaceable></" -"arg> <arg choice='plain'>-n <replaceable>КОРИСТУВАЧ</replaceable></arg>" +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "Відповідач реєстраційних даних SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 -msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." -msgstr "" -"<command>sss_seed</command> розповсюджує кеш SSSD з записом користувача і " -"тимчасовим паролем. Якщо запис користувача вже є у кеші SSSD, запис буде " -"оновлено зі встановленням тимчасового пароля." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#: sssd-secrets.5.xml:23 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"<option>-D</option>,<option>--domain</option> <replaceable>ДОМЕН</" -"replaceable>" +"На цій сторінці довідника описано налаштування засобу надання відповідей " +"Secrets для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -"Визначає назву домену, учасником якого є користувач. Домен використовується " -"для отримання даних щодо користувачів. Домен має бути налаштовано у sssd." -"conf. Має бути надано аргумент <replaceable>ДОМЕН</replaceable>. Дані, " -"отримані з домену, матимуть вищий пріоритет за дані, вказані за допомогою " -"параметрів." +"У багатьох програмах системи або користувача існує потреба у збереженні " +"конфіденційних даних, зокрема паролів і ключів до служб, та зручній роботі з " +"цими даними. Простим способом вирішення цієї проблеми є вбудовування цих " +"<quote>реєстраційних даних</quote> до файлів налаштувань. Втім, це " +"призводить до потенційного розширення доступу до конфіденційних даних через " +"резервні копії, системи керування налаштуваннями, та загалом робить захист " +"даних важчим." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." msgstr "" -"<option>-n</option>,<option>--username</option> <replaceable>КОРИСТУВАЧ</" -"replaceable>" +"Проєкт <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"було створено для урегулювання цієї проблеми у хмароподібних середовищах, " +"але нам ця ідея здалася вартою уваги навіть на рівні окремої ізольованої " +"системи. Як служба захисту, SSSD є ідеальним місцем для реалізації такої " +"можливості з доступом до відповідного програмного інтерфейсу через сокети " +"UNIX. Така реалізація уможливлює використання локальних викликів і належну " +"маршрутизацію до локального або віддаленого сховища ключів, зокрема сховища " +"IPA, для зберігання, депонування і відновлення даних." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" -"Ім’я користувача, запис якого слід створити або змінити у кеші. Має бути " -"вказано аргумент <replaceable>КОРИСТУВАЧ</replaceable>." +"Записи реєстраційних даних є простими парами ключ-значення. Реєстраційні " +"дані кожного з користувачів співвідносяться із його простором назв на основі " +"ідентифікатора користувача. Це означає, що реєстраційні дані одного " +"користувача ніколи не потраплять до іншого. Реєстраційні дані зберігаються у " +"<quote>контейнерах</quote>, які можна вкладати один у одного." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." -msgstr "Встановити UID користувача у значення <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "secrets" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." -msgstr "Встановити GID користувача у значення <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "записи реєстраційних даних для загального використання" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 -msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." -msgstr "" -"Встановити домашній каталог користувача у значення " -"<replaceable>ДОМАШНІЙ_КАТАЛОГ</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "kcm" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" -"Встановити оболонку реєстрації користувача у значення <replaceable>ОБОЛОНКА</" -"replaceable>." +"використовується службою <citerefentry> <refentrytitle>sssd-kcm</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -"Інтерактивний режим для введення даних користувача. У разі використання " -"цього параметра програма надсилатиме запит лише щодо даних, які не було " -"отримано з параметрів команди або домену." +"Оскільки відповідач реєстраційних даних може використовуватися ззовні для " +"зберігання загальних реєстраційних даних, як це описано у решті цієї " +"сторінки підручника, і всередині іншими компонентами SSSD для зберігання " +"власних реєстраційних даних, можна налаштувати деякі параметри, зокрема " +"квоти для окремих записів <quote>hive</quote> у підрозділі налаштувань із " +"назвою відповідного рою. Підтримувані у поточній версії рої: <placeholder " +"type=\"variablelist\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "КОРИСТУВАННЯ ВІДПОВІДАЧЕМ РЕЄСТРАЦІЙНИХ ДАНИХ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" -"<option>-p</option>,<option>--password-file</option> " -"<replaceable>ФАЙЛ_ПАРОЛІВ</replaceable>" +"Сокет UNIX, на якому відповідач SSSD очікує на дані, розташовано у " +"<filename>/var/run/secrets.socket</filename>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -"Вказати файл, звідки слід читати дані щодо паролів користувачів. Якщо пароль " -"не буде знайдено, програма надішле запит на його введення." +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-secrets.5.xml:95 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -"Довжина пароля (або розмір файла, визначеного за допомогою параметра -p або " -"--password-file) має бути меншою або рівною PASS_MAX байтів (64 байти у " -"системах без визначеного на загальному рівні значення PASS_MAX)." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" -msgstr "sssd-ifp" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" -msgstr "Відповідач InfoPipe SSSD" +"Відповідач для реєстраційних даних активується за допомогою сокетів " +"<citerefentry> <refentrytitle>systemd</refentrytitle> <manvolnum>1</" +"manvolnum> </citerefentry>. На відміну від інших відповідачів SSSD, його не " +"можна запустити додаванням рядка <quote>secrets</quote> до інструкції " +"<quote>service</quote>. Модуль сокета systemd називається <quote>sssd-" +"secrets.socket</quote>, а відповідний файл служби має назву <quote>sssd-" +"secrets.service</quote>. Щоб службу можна було активувати за допомогою " +"сокета, слід увімкнути і задіяти сокет, а потім увімкнути службу: " +"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що " +"відповідні налаштування модулів вже могло бути виконано засобами вашого " +"дистрибутива." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-secrets.5.xml:122 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" -"На цій сторінці довідника описано налаштування засобу надання відповідей " -"InfoPipe для <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис " -"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"Відповідачу реєстраційних даних можна передавати типові параметри " +"відповідача SSSD, зокрема <quote>debug_level</quote> та <quote>fd_limit</" +"quote>. Із повним списком параметрів можна ознайомитися на сторінці " +"підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Крім того, передбачено декілька " +"специфічних для реєстраційних даних параметрів." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-secrets.5.xml:132 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" -"Відповідач InfoPipe забезпечує роботу відкритого інтерфейсу D-Bus над " -"системним каналом повідомлень. За допомогою цього інтерфейсу користувачі " -"можуть надсилати загальносистемним каналом повідомлень запити щодо " -"інформації про віддалених користувачів і групи." +"Відповідач реєстраційних даних налаштовується за допомогою загального " +"розділу <quote>[secrets]</quote> і необов'язкових розділів <quote>[secrets/" +"users/$uid]</quote> для окремих користувачів у <filename>sssd.conf</" +"filename>. Будь ласка, зауважте, що деякі параметра, зокрема тип " +"постачальника даних, можна вказати лише у підрозділах окремих користувачів." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." -msgstr "" -"Цими параметрами можна скористатися для налаштовування відповідача InfoPipe." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "provider (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "local" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -"Визначає список значень UID або імен користувачів, відокремлених комами. " -"Користувачам з цього списку буде дозволено доступ до відповідача InfoPipe. " -"UID за іменами користувачів визначатимуться під час запуску." +"Реєстраційні дані зберігаються у локальній базі даних, зашифровані, разом із " +"іншими даними, за допомогою основного ключа. Для локального засобу надання " +"даних у поточній версії не передбачено жодних додаткових параметрів." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "proxy" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -"Типове значення: 0 (доступ до відповідача InfoPipe має лише адміністративний " -"користувач (root))" +"Відповідач реєстраційних даних переспрямовує запити до сервера Custodia. Для " +"засобу надання даних «proxy» передбачено декілька додаткових параметрів " +"(див. нижче)." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#: sssd-secrets.5.xml:144 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -"Будь ласка, зауважте, що хоча типово використовується UID 0, значення UID " -"буде перевизначено на основі цього параметра. Якщо ви хочете надати " -"адміністративному користувачеві (root) доступ до відповідача InfoPipe, що " -"може бути типовим варіантом, вам слід додати до списку UID з правами доступу " -"запис 0." +"Цей параметр визначає, де слід зберігати реєстраційні дані. Відповідач " +"реєстраційних даних може налаштувати підрозділи для окремих користувачів " +"(наприклад, <quote>[secrets/users/123]</quote> — див. нижню частину цієї " +"сторінки підручників, де наведено повний приклад використання Custodia для " +"окремого користувача), які визначатимуть, яке сховище відповідача " +"зберігатиме дані певного користувача. Підрозділи окремих користувачів мають " +"містити усі параметри відповідного засобу надання даних користувача. Будь " +"ласка, зауважте, що у поточній версії загальний постачальних даних з завжди " +"локальним, а проміжного постачальника можна вказати лише для окремого " +"користувача у відповідному розділі. Передбачено підтримку таких " +"відповідачів: <placeholder type=\"variablelist\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "Типове значення: local" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" -"Визначає список атрибутів з «білого» або «чорного» списків, відокремлених " -"комами." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" -msgstr "name" +"Наведені нижче параметри стосуються лише записів реєстраційних даних " +"<quote>hive</quote> і тому їх слід встановлювати у підрозділах окремих роїв. " +"Встановлення значення параметра 0 означає «без обмежень»." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" -msgstr "реєстраційне ім’я користувача" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "containers_nest_level (ціле значення)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" -msgstr "uidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" +"Цей параметр визначає максимальну дозволену кількість вкладених контейнерів." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" -msgstr "ідентифікатор користувача" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" +msgstr "Типове значення: 4" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" -msgstr "gidNumber" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "max_secrets (ціле значення)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" -msgstr "ідентифікатор основної групи" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" +"Цей параметр визначає максимальну кількість записів реєстраційних даних, які " +"можна зберігати у рою." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" -msgstr "gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "Типове значення: 1024 (рій реєстраційних даних), 256 (рій kcm)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" -msgstr "дані щодо користувача, типово ім’я повністю" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "max_uid_secrets (ціле число)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" -msgstr "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" +"Цей параметр визначає максимальну кількість записів реєстраційних даних, які " +"можна зберігати окремо для різних UID у рою." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" -msgstr "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "Типове значення: 256 (рій реєстраційних даних), 64 (рій kcm)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" -msgstr "командна оболонка користувача" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "max_payload_size (ціле значення)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 +#: sssd-secrets.5.xml:231 msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -"Типово, відповідач InfoPipe надає дані лише щодо типового набору атрибутів " -"POSIX. Цей набір є тим самим, який повертає програма <citerefentry> " -"<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" -"citerefentry>, його елементи: <placeholder type=\"variablelist\" id=\"0\"/>" +"Цей параметри визначає максимальний об'єм даних для реєстраційного запису у " +"кілобайтах." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" +"Типове значення: 16 (рій реєстраційних даних), 65536 (64 МіБ) (рій kcm)" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 #, no-wrap msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Ви можете додати інший атрибут до цього набору за допомогою параметра " -"«+назва_атрибута» або явним чином виключити атрибут за допомогою параметра «-" -"назва_атрибута». Наприклад, щоб дозволити «telephoneNumber», але заборонити " -"«loginShell», вам слід скористатися такими налаштуваннями: <placeholder type=" +"Наприклад, щоб встановити різні квоти для роїв <quote>secrets</quote> та " +"<quote>kcm</quote>, скористайтеся такими рядками: <placeholder type=" "\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" -"Типове значення: не встановлено. Дозволено лише типовий набір атрибутів " -"POSIX." +"Вказані нижче параметри стосуються лише конфігурацій, у яких " +"використовується засіб надання даних <quote>proxy</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "proxy_url (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-secrets.5.xml:260 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -"Визначає верхню межу для кількості записів, які отримуватимуться під час " -"пошуку з використанням символів-замінників, які перевизначають обмеження, " -"яке накладається функцією виклику." +"Адреса, за якою очікуватиме на дані сервер Custodia. У поточній версії " +"передбачено підтримку протоколів http і https." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "http[s]://<вузол>[:порт]" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "Приклад: http://localhost:8080" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "auth_type (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -"Типове значення: 0 (дозволити встановлювати верхнє обмеження функції виклику)" +"Спосіб розпізнавання сервером Custodia. Передбачено підтримку таких способів " +"розпізнавання:" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "basic_auth" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Розробник (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Розробник (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"Виконати розпізнавання на основі імені користувача і пароля, які визначено " +"параметрами <quote>username</quote> і <quote>password</quote>." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" -msgstr "sss_rpcidmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "header" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "Директиви налаштовування додатка sss для rpc.idmapd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" +"Виконати розпізнавання за допомогою значення заголовка HTTP, як його " +"визначено у параметрах налаштування <quote>auth_header_name</quote> і " +"<quote>auth_header_value</quote>." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" -msgstr "ФАЙЛ НАЛАШТУВАНЬ" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "auth_header_name (рядок)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" -"Файл налаштувань rpc.idmapd зазвичай зберігається тут: <emphasis>/etc/idmapd." -"conf</emphasis>. Див. підручник з <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися " -"більше." +"Якщо встановлено, відповідач реєстраційних даних додаватиме заголовок із " +"цією назвою до запиту HTTP разом із значенням, яке визначається параметром " +"налаштування <quote>auth_header_value</quote>." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" -msgstr "РОЗШИРЕННЯ НАЛАШТОВУВАННЯ SSS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "Приклад: MYSECRETNAME" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" -msgstr "Вмикання додатка SSS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "auth_header_value (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" -"У розділі «[Translation]» змініть або додайте атрибут «Method» із вмістом " -"<emphasis>sss</emphasis>." +"Значення, яке sssd-secrets має використовувати для <quote>auth_header_name</" +"quote>." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" -msgstr "Розділ налаштовування [sss]" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "Приклад: mysecret" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "forward_headers (список рядків)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" -"Якщо вам потрібно змінити типове значення одного з атрибутів налаштувань, " -"перелічених нижче, додатка <emphasis>sss</emphasis>, вам слід створити " -"розділ налаштувань для нього з назвою «[sss]»." - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" -msgstr "Атрибути налаштувань" +"Список заголовків HTTP, які слід переспрямувати до сервера Custodia разом із " +"запитом." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" -msgstr "memcache (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "verify_peer (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." -msgstr "Визначає, чи слід використовувати методику оптимізації кешу у пам’яті." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" +"Визначає, чи слід перевіряти сертифікат вузла і чи слід вважати його чинним, " +"якщо для засобу надання даних проксі використано протокол HTTPS." -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" -msgstr "ІНТЕГРАЦІЯ З SSSD" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "verify_host (булеве значення)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -"Додаток sss потребує вмикання <emphasis>Відповідача NSS</emphasis> у sssd." +"Визначає, чи має назва вузла збігатися із назвою вузла у його сертифікаті, " +"якщо для засобу надання даних проксі використано протокол HTTPS." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "capath (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -"Атрибут «use_fully_qualified_names» має бути увімкнено для усіх доменів " -"(клієнти NFSv4 очікують на те, що надсилається назва повністю)." +"Шлях до каталогу, у якому зберігаються сертифікати служб сертифікації. Якщо " +"для цього параметра не встановлено значення, використовуватиметься " +"загальносистемний типовий шлях." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "cacert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" -"[General]\n" -"Verbosity = 2\n" -"# домен має бути синхронізовано між сервером NFSv4 та клієнтами\n" -"# У Solaris/Illumos/AIX типово використовується \"локальний домен\"!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +"Шлях до файла, у якому міститься сертифікат служби сертифікації сервера. " +"Якщо для цього параметра не встановлено значення, програма шукатиме " +"сертифікат CA у <quote>capath</quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "cert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" -"У наведеному нижче прикладі показано мінімальний вигляд idmapd.conf, де " -"використовується додаток sss. <placeholder type=\"programlisting\" id=\"0\"/" -">" +"Шлях до файла, що містить клієнтський сертифікат, якщо такий потрібен для " +"сервера. Цей файл може також містити закритий ключ. Закритий ключ можна " +"також зберігати у файлі, назву якого встановлено за допомогою параметра " +"<quote>key</quote>." -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "ТАКОЖ ПЕРЕГЛЯНЬТЕ" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "Шлях до файла, у якому міститься закритий ключ клієнта." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "КОРИСТУВАННЯ API REST" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#: sssd-secrets.5.xml:424 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "sss_ssh_authorizedkeys" +"У цьому розділі наведено список доступних команд та приклади користування із " +"використанням програми <citerefentry> <refentrytitle>curl</refentrytitle> " +"<manvolnum>1</manvolnum> </citerefentry>. Усі запити до засобу надання даних " +"проксі мають встановлювати для заголовка Content Type значення " +"<quote>application/json</quote>. Крім того, для локального засобу надання " +"даних передбачено підтримку встановлення для Content Type значення " +"<quote>application/octet-stream</quote>. Реєстраційні дані, збережені із " +"запитами, де встановлено значення заголовка Content Type <quote>application/" +"octet-stream</quote>, є даними у кодуванні base64 у сховищі, які " +"розшифровуються під час отримання, тому не можна зберігати реєстраційні дані " +"із одним значенням Content Type і отримувати з іншим. Адреса реєстраційних " +"даних має починатися з <filename>/secrets/</filename>." -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" -msgstr "1" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "Отримання списку реєстраційних даних" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" -msgstr "отримати уповноважені ключі OpenSSH" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" +"Щоб отримати список доступних реєстраційних даних, надішліть запит HTTP GET " +"із кінцевою навскісною рискою у шляху до контейнера." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>параметри</replaceable> </arg> <arg " -"choice='plain'><replaceable>КОРИСТУВАЧ</replaceable></arg>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "Отримання реєстраційних даних" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -"<command>sss_ssh_authorizedkeys</command> отримує відкриті ключі SSH для " -"користувача <replaceable>КОРИСТУВАЧ</replaceable> і виводить їх у форматі " -"authorized_keys OpenSSH (щоб дізнатися більше, див. розділ <quote>ФОРМАТ " -"ФАЙЛІВ AUTHORIZED_KEYS</quote> на сторінці підручника (man) з " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry>)." +"Щоб прочитати значення окремого запису реєстраційних даних, надішліть запит " +"HTTP GET без кінцевої навскісної риски. Остання частина адреси вважатиметься " +"назвою запису реєстраційних даних." -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " msgstr "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> можна налаштувати на використання " -"<command>sss_ssh_authorizedkeys</command> для розпізнавання користувачів за " -"відкритими ключами, якщо програму зібрано із підтримкою параметра " -"<quote>AuthorizedKeysCommand</quote>. Будь ласка, зверніться до сторінки " -"підручника <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>, щоб дізнатися більше про цей " -"параметр." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 #, no-wrap msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" -"Якщо передбачено підтримку <quote>AuthorizedKeysCommand</quote>, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> можна налаштувати на використання ключів за допомогою таких " -"інструкцій у <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"Приклади: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" -msgstr "КЛЮЧІ З СЕРТИФІКАТІВ" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "Встановлення реєстраційних даних" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -"Окрім відкрити ключів SSH для користувача <replaceable>КОРИСТУВАЧ</" -"replaceable>, <command>sss_ssh_authorizedkeys</command> може повертати ключі " -"SSH, які походять від відкритого ключа сертифіката X.509." +"Щоб встановити запис реєстраційних даних з використанням типу " +"<quote>application/json</quote>, надішліть запит HTTP PUT із даними JSON, " +"які включатимуть тип і значення. Тип (type) має бути встановлено у значення " +"\"simple\", а значення (value) має містити дані реєстраційного запису. Якщо " +"запис із вказаною назвою вже існує, відповіддю буде повідомлення про помилку " +"409 HTTP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -"Щоб уможливити це, слід встановити для параметра " -"<quote>ssh_use_certificate_keys</quote> значення true (типове значення) у " -"розділі [ssh] файла <filename>sssd.conf</filename>. Якщо запис користувача " -"містить сертифікати (див <quote>ldap_user_certificate</quote> на сторінці " -"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>, щоб дізнатися більше) або існує сертифікат у " -"записі перевизначення для користувача (див. " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> або <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry>, щоб дізнатися " -"більше), а сертифікат є чинним, SSSD видобуде відкритий ключі з сертифіката " -"і перетворить його до формату, який може використовувати sshd." +"Тип <quote>application/json</quote> просто надсилає реєстраційний ключ як " +"вміст повідомлення." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -"Окрім <quote>ssh_use_certificate_keys</quote>, може бути використано " -"параметри" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" -msgstr "ca_db" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" -msgstr "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" +"У наведеному нижче прикладі ми встановлюємо для реєстраційних даних із " +"назвою «foo» значення «foosecret», а для реєстраційних даних із назвою «bar» " +"— значення «barsecret», використовуючи різні значення Content Type. " +"<placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" -msgstr "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "Створення контейнера" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" +"Контейнери надають додатковий простір назв для реєстраційних даних цього " +"користувача. Для створення контейнера надішліть запит HTTP POST, чи я адреса " +"завершуватиметься назвою контейнера. Будь ласка, зауважте, що адреса має " +"завершуватися символом навскісної риски." -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" -"для керування способом встановлення чинності сертифікатів (докладніше див. " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry>)." +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -"Перевірка чинності є перевагою використання сертифікатів X.509 замість " -"ключів SSH безпосередньо, оскільки, наприклад, це поліпшує можливості " -"керування часом придатності ключів. Якщо клієнт ssh налаштовано не " -"використання закритих ключів з смарткартки за допомогою бібліотеки PKCS#11 " -"спільного використання (див. <citerefentry><refentrytitle>ssh</" -"refentrytitle> <manvolnum>1</manvolnum></citerefentry>, щоб дізнатися " -"більше), може дратувати те, що розпізнавання залишається працездатним, " -"навіть якщо пов'язаний із ним сертифікат X.509 на смарткартці вже втратив " -"чинність, оскільки ні <command>ssh</command>, ні <command>sshd</command> не " -"братимуть сертифікат до уваги взагалі." +"У наступному прикладі створюємо контейнер із назвою «mycontainer»: " +"<placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" -"Слід зауважити, що похідний відкритий ключ SSH все одно можна додати до " -"файла <filename>authorized_keys</filename> користувача, щоб обійти перевірку " -"чинності сертифіката, якщо налаштування <command>sshd</command> надають " -"змогу це робити." +"http://localhost/secrets/mycontainer/mysecret\n" +" " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#: sssd-secrets.5.xml:535 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"Шукати відкриті ключі користувачів у домені SSSD <replaceable>ДОМЕН</" -"replaceable>." +"Щоб працювати із записами реєстраційних даних у цьому контейнері, просто " +"вкладіть записи реєстраційних даних до шляху контейнера: <placeholder type=" +"\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" -msgstr "СТАН ВИХОДУ" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "Вилучення реєстраційних даних або контейнера" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -"У випадку успіху значення стану виходу дорівнює 0. У всіх інших випадках " -"програма повертає 1." - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" -msgstr "sss_ssh_knownhostsproxy" - -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" -msgstr "отримати ключі вузла OpenSSH" +"Щоб вилучити запис реєстраційних даних або контейнер, надішліть запит HTTP " +"DELETE із шляхом до запису реєстраційних даних або до контейнера." -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>параметри</replaceable> </arg> <arg " -"choice='plain'><replaceable>ВУЗОЛ</replaceable></arg> <arg " -"choice='opt'><replaceable>КОМАНДА_ПРОКСІ</replaceable></arg>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -"<command>sss_ssh_knownhostsproxy</command> отримує відкриті ключі вузла SSH " -"для вузла <replaceable>ВУЗОЛ</replaceable>, зберігає їх до нетипового файла " -"OpenSSH known_hosts (щоб дізнатися більше, ознайомтеся з розділом " -"<quote>ФОРМАТ ФАЙЛІВ SSH_KNOWN_HOSTS</quote> сторінки підручника (man) " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry>) за адресою <filename>/var/lib/sss/pubconf/known_hosts</" -"filename> і встановлює з’єднання з вузлом." +"У наведеному нижче прикладі ми вилучимо реєстраційні дані для запису «foo». " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "ПРИКЛАД НАЛАШТОВУВАННЯ МОДУЛІВ НАДАННЯ ДАНИХ CUSTODIA І ПРОКСІ" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 +#: sssd-secrets.5.xml:565 msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -"Якщо вказано параметр <replaceable>КОМАНДА_ПРОКСІ</replaceable>, замість " -"відкриття сокета для створення з’єднання буде використано відповідну команду." +"Для тестування засобу надання даних «proxy» вам слід налаштувати проксі-" +"передавання на сервер Custodia. Будь ласка, завжди користуйтеся " +"документацією до Custodia, оскільки інструкції налаштовування у різних " +"версіях Custodia можуть бути різними." #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 +#: sssd-secrets.5.xml:576 #, no-wrap msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> можна налаштувати на використання " -"<command>sss_ssh_knownhostsproxy</command> для розпізнавання вузлів за " -"ключами за допомогою таких інструкцій у налаштуваннях " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry>: <placeholder type=\"programlisting\" id=\"0\"/>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 +#: sssd-secrets.5.xml:570 msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"<option>-p</option>,<option>--port</option> <replaceable>ПОРТ</replaceable>" +"Ці налаштування визначають для сервера Custodia адресу очікування даних " +"http://localhost:8080, дозволяють будь-кому із заголовком із назвою " +"MYSECRETNAME, який встановлено у значення mysecretkey, обмін даними із " +"сервером Custodia. Запишіть ці дані до файла (наприклад, " +"<replaceable>custodia.conf</replaceable>): <placeholder type=\"programlisting" +"\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -"Використовувати для встановлення з’єднання з вузлом порт <replaceable>ПОРТ</" -"replaceable>. Типовим портом є порт 22." +"Далі, віддайте команду <replaceable>custodia</replaceable>, вказавши файл " +"налаштувань у параметрі командного рядка." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -"Шукати відкриті ключі вузлів у домені SSSD <replaceable>ДОМЕН</replaceable>." - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" -msgstr "<option>-k</option>,<option>--pubkey</option>" +"Будь ласка, зверніть увагу на те, що у поточній версії неможливо на " +"загальному рівні переспрямовувати усі запити до екземпляра Custodia. Замість " +"цього слід визначати підрозділи для окремих ідентифікаторів користувачів, " +"які переспрямовуватимуть запити до Custodia. У наведеному нижче прикладі " +"проілюстровано конфігурацію, за якої запити користувача із UID 123 " +"переспрямовуватимуться до Custodia, а запити усіх інших користувачів " +"оброблятимуться локальним засобом надання даних." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." -msgstr "Вивести відкриті ключі SSH для вузла <replaceable>HOST</replaceable>." +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " #. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" -msgstr "idmap_sss" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "sssd-session-recording" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" -msgstr "Модуль idmap_sss SSSD для Winbind" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "Налаштовування записів сеансів за допомогою SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 +#: sssd-session-recording.5.xml:23 msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -"Модуль idmap_sss надає змогу викликати SSSD для прив'язки UID/GID і SID. У " -"цьому випадку база даних не потрібна, оскільки прив'язка виконується " -"засобами SSSD." - -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" -msgstr "ПАРАМЕТРИ IDMAP" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" -msgstr "діапазон = нижче - вище" +"На цій сторінці підручника описано налаштовування <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"на роботу з <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, частиною пакунка tlog, для " +"реалізації записування сеансів користувачів у текстових терміналах. " +"Докладний довідник щодо синтаксису налаштувань можна знайти у розділі " +"<quote>ФОРМАТ ФАЙЛА</quote> сторінки підручника з <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -"Визначає доступний для обробки модулем діапазон відповідності UID і GID." +"SSSD можна налаштувати так, щоб уможливити запис усіх даних, які бачать або " +"вводять протягом сеансу у текстових терміналах вказані користувачі. " +"Наприклад, можна записувати дані щодо входу користувачів за допомогою " +"консолі або SSH. Сама SSSD нічого не записує, а лише забезпечує запуск tlog-" +"rec-session під час входу до системи користувача, щоб можна було здійснювати " +"запис відповідно до налаштувань." #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#: sssd-session-recording.5.xml:48 msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -"У цьому прикладі продемонстровано налаштовування idmap_sss як типового " -"модуля прив'язки." +"Для користувачів, для яких увімкнено запис сеансів, SSSD замінює командну " +"оболонку користувача на tlog-rec-session у відповідях NSS і додає змінну, " +"яка вказує на початкову командну оболонку до середовища користувача у " +"налаштування сеансу PAM. Таким чином забезпечується запуск tlog-rec-session " +"замість командної оболонки користувача і надання даних про те, яку командну " +"оболонку слід запустити, щойно розпочнеться записування." -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " -msgstr "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "Цими параметрами можна скористатися для налаштовування запису сеансів." #. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 +#: sssd-session-recording.5.xml:146 msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -"Будь ласка, замініть <AD-DOMAIN-SHORTNAME> на назву домену у NetBIOS " -"домену AD. Якщо має бути використано декілька доменів AD, для кожного домену " -"потрібен рядок <literal>idmap config</literal> із <literal>backend = sss</" -"literal> і рядок із відповідним <literal>range</literal>." +"У наведеному нижче фрагменті файла sssd.conf увімкнено запис сеансів для " +"користувачів contractor1 і contractor2» та групи students." -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -"Оскільки для Winbind потрібен придатний до запису типовий модуль, а " -"idmap_sss є придатним лише для читання, до прикладу включено як типовий " -"модуль <literal>backend = tdb</literal>." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" -msgstr "sssctl" +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "sssd-kcm" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" -msgstr "Засіб керування і визначення стану SSSD" +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "Керування кешем Kerberos SSSD" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." msgstr "" -"<command>sssctl</command> <arg choice='plain'><replaceable>КОМАНДА</" -"replaceable></arg> <arg choice='opt'> <replaceable>параметри</replaceable> </" -"arg>" +"На цій сторінці підручника описано налаштування засобу керування кешем " +"Kerberos SSSD (Kerberos Cache Manager або KCM). KCM є процесом, який " +"зберігає, стежить і керує кешем реєстраційних даних Kerberos. Ідея створення " +"засобу походить із проєкту Heimdal Kerberos, хоча у бібліотеці Kerberos MIT " +"також надається підтримка з боку клієнта для кешу реєстраційних даних KCM " +"(докладніше про це нижче)." #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#: sssd-kcm.8.xml:31 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -"<command>sssctl</command> є простим і уніфікованим засобом отримання даних " -"щодо стану SSSD, зокрема активного сервера, серверів автоматичного " -"визначення, доменів і кешованих об'єктів. Крім того, програма здатна " -"керувати файлами даних SSSD для усування вад у такий спосіб, щоб з ними " -"можна було безпечно працювати, доки працює SSSD." +"У конфігураціях, де кешем Kerberos керує KCM, бібліотека Kerberos (типово " +"використовується за допомогою якоїсь програми, наприклад <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>) є <quote>клієнтом KCM</quote>, а фонова служба KCM вважається " +"<quote>сервером KCM</quote>. Клієнт і сервер обмінюються даними за допомогою " +"сокета UNIX." #. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 +#: sssd-kcm.8.xml:42 msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -"Щоб ознайомитися зі списком усіх доступних команд, віддайте команду " -"<command>sssctl</command> без параметрів. Щоб програма вивела довідкове " -"повідомлення щодо певної команди, віддайте команду <command>sssctl КОМАНДА --" -"help</command>." +"Сервер KCM стежити за кожним власником кешу реєстраційних даних і виконує " +"перевірку прав доступу на основі UID і GID клієнта KCM. Користувач root має " +"доступ до усіх кешів реєстраційних даних." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" -msgstr "sssd-files" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "Кеш реєстраційних даних KCM має декілька цікавих властивостей:" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" -msgstr "Засіб надання файлів SSSD" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" +"оскільки процес виконується у просторі користувача, він підлягає обмеженням " +"за простором назв UID, на відміну від набору ключів ядра" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -"На цій сторінці довідника описано налаштування засобу обробки файлів для " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " -"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"на відміну від кешу на основі наборів ключів ядра, який є спільним для усіх " +"контейнерів, сервер KCM є окремим процесом, чия точка входу є сокетом UNIX" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +#, fuzzy +#| msgid "" +#| "the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +#| "<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +#| "citerefentry> secrets store, allowing the ccaches to survive KCM server " +#| "restarts or machine reboots." msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" -"Засіб надання даних файлів створює дзеркальну копію вмісту файлів " -"<citerefentry> <refentrytitle>passwd</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> і <citerefentry> <refentrytitle>group</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. Метою роботи засобу " -"надання даних файлів є забезпечення доступу до даних користувачів і груп, " -"які традиційно доступні за допомогою інтерфейсів NSS, також за допомогою " -"інтерфейсів SSSD, зокрема <citerefentry> <refentrytitle>sssd-ifp</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"реалізація у SSSD зберігає ccache-і у сховищі реєстраційних даних " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> SSSD, що надає змогу ccache-ам переживати " +"перезапуски сервера KCM та перезавантаження комп'ютера." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 +#: sssd-kcm.8.xml:67 msgid "" -"Another reason is to provide efficient caching of local users and groups." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -"Іншою причиною може бути потреба у забезпеченні ефективного кешування даних " -"локальних користувачів і груп." +"Це надає змогу системі використовувати кеш реєстраційних даних із " +"врахуванням збірок, одночасно надаючи спільний доступ до кешу реєстраційних " +"даних для декількох контейнерів або без контейнерів взагалі шляхом " +"прив'язування-монтування сокета." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "КОРИСТУВАННЯ КЕШЕМ РЕЄСТРАЦІЙНИХ ДАНИХ KCM" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" -"Будь ласка, зауважте, що у деяких дистрибутивах домен files увімкнено " -"автоматично, оскільки цей домен додано до будь-якого із явно визначених " -"доменів. Див. enable_files_domain у <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 +#: sssd-kcm.8.xml:76 msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -"SSSD ніколи не виконує визначення для користувача або групи «root». Крім " -"того, SSSD не обробляє запити щодо визначення UID/GID 0. Такі запити " -"передаються наступному модулю NSS (зазвичай, files)." +"Для використання кешу реєстраційних даних KCM його слід вибрати стандартним " +"типом реєстраційних даних у <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Назвою кешу " +"реєстраційних даних має бути лише <quote>KCM:</quote> без будь-яких " +"розширень шаблонами. Приклад: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 +#: sssd-kcm.8.xml:89 msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"Якщо SSSD не запущено або програма не відповідає, nss_sss повертає код " -"UNAVAIL, що спричиняє передавання запиту наступному модулю." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" -msgstr "passwd_files (рядок)" +"Далі, слід визначити однаковий шлях до сокета UNIX для клієнтських бібліотек " +"Kerberos і сервера KCM. Типово, у обох випадках використовується однаковий " +"шлях <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. Для " +"налаштовування бібліотеки Kerberos змініть значення її параметра " +"<quote>kcm_socket</quote>, як це описано на сторінці підручника " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -"Список з однієї чи декількох відокремлених комами назв файлів паролів, які " -"слід прочитати і нумерувати засобу надання даних файлів. Для кожного " -"вказаного файла буде встановлено спостереження за допомогою inotify для " -"динамічного виявлення внесених до нього змін." - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" -msgstr "Типове значення: /etc/passwd" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" -msgstr "group_files (рядок)" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -"Список з однієї чи декількох відокремлених комами назв файлів груп, які слід " -"прочитати і нумерувати засобу надання даних файлів. Для кожного вказаного " -"файла буде встановлено спостереження за допомогою inotify для динамічного " -"виявлення внесених до нього змін." +"Нарешті, переконайтеся, що з сервером KCM SSSD можна встановити зв'язок. " +"Типово, служба KCM вмикається за допомогою сокета з <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. На відміну від інших служб SSSD, її не можна запустити " +"додаванням рядка <quote>kcm</quote> до інструкції <quote>service</quote>. " +"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що " +"відповідні налаштування модулів вже могло бути виконано засобами вашого " +"дистрибутива." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" -msgstr "Типове значення: /etc/group" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "СХОВИЩЕ КЕШУ РЕЄСТРАЦІЙНИХ ДАНИХ" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" -msgstr "" -"Окрім параметрів із наведеного нижче списку, можна встановлювати, де це є " -"відповідним, загальні параметри домену SSSD. Зверніться до розділу " -"<quote>РОЗДІЛИ ДОМЕНІВ</quote> сторінки підручника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>, щоб дізнатися більше про налаштовування домені SSSD. Втім, " -"призначенням надавача даних files є надання тих самих даних, які " -"встановлюються для файлів UNIX, просто за допомогою інтерфейсів SSSD. Тому " -"передбачено підтримку не усіх загальних параметрів доменів. Так само, деякі " -"загальні параметри, зокрема перевизначення командної оболонки у розділі " -"<quote>nss</quote> для усіх доменів, ні на що не впливають у домені files, " -"якщо їх не вказано явним чином для окремих доменів. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#: sssd-kcm.8.xml:122 +msgid "" +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." +msgstr "" +"Кеші реєстраційних даних зберігаються у базі даних, дуже подібно до кешів " +"записів користувачів і груп SSSD. Типово, база даних зберігається у <quote>/" +"var/lib/sss/secrets</quote>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" +msgstr "ОТРИМАННЯ ДІАГНОСТИЧНОГО ЖУРНАЛУ" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " -"чином, а files встановлено на один з доменів з розділу <replaceable>[sssd]</" -"replaceable>." +"[kcm]\n" +"debug_level = 10\n" +" " #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 #, no-wrap msgid "" -"[domain/files]\n" -"id_provider = files\n" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -"[domain/files]\n" -"id_provider = files\n" +"systemctl restart sssd-kcm.service\n" +" " #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 +#: sssd-kcm.8.xml:131 msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -"Для балансування кешування даних локальних користувачів та груп у SSSD " -"модуль nss_sss має перебувати у списку файла /etc/nsswitch.conf вище за " -"модуль nss_files." +"Типово, служба sssd-kcm активує крізь сокет <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Для створення діагностичних журналів додайте вказані нижче " +"рядки або безпосередньо до файла <filename>/etc/sssd/sssd.conf</filename>, " +"або як фрагмент налаштувань до каталогу <filename>/etc/sssd/conf.d/</" +"filename>: <placeholder type=\"programlisting\" id=\"0\"/> Далі, " +"перезапустіть службу sssd-kcm: <placeholder type=\"programlisting\" id=\"1\"/" +"> Нарешті, виконайте дії, які не призводять до бажаних для вас наслідків. " +"Журнал KCM буде записано до <filename>/var/log/sssd/sssd_kcm.log</filename>. " +"Рекомендуємо вимкнути ведення діагностичного журналу, якщо вам не потрібні " +"діагностичні дані, оскільки служба sssd-kcm може породжувати доволі великий " +"обсяг діагностичних даних." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 msgid "" -"passwd: sss files\n" -"group: sss files\n" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -"passwd: sss files\n" -"group: sss files\n" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" -msgstr "sssd-secrets" +"Будь ласка, зауважте, що у поточній версії фрагменти налаштувань буде " +"оброблено, лише якщо взагалі існує основний файл налаштувань <filename>/etc/" +"sssd/sssd.conf</filename>." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" -msgstr "Відповідач реєстраційних даних SSSD" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 +#: sssd-kcm.8.xml:175 +#, fuzzy +#| msgid "" +#| "This manual page describes the files provider for <citerefentry> " +#| "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +#| "citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +#| "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -"На цій сторінці довідника описано налаштування засобу надання відповідей " -"Secrets для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" -"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " -"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"На цій сторінці довідника описано налаштування засобу обробки файлів для " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " +"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>." #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 +#: sssd-kcm.8.xml:183 msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -"У багатьох програмах системи або користувача існує потреба у збереженні " -"конфіденційних даних, зокрема паролів і ключів до служб, та зручній роботі з " -"цими даними. Простим способом вирішення цієї проблеми є вбудовування цих " -"<quote>реєстраційних даних</quote> до файлів налаштувань. Втім, це " -"призводить до потенційного розширення доступу до конфіденційних даних через " -"резервні копії, системи керування налаштуваннями, та загалом робить захист " -"даних важчим." +"Службі kcm можна передавати типові параметри служби SSSD, зокрема " +"<quote>debug_level</quote> та <quote>fd_limit</quote> Із повним списком " +"параметрів можна ознайомитися на сторінці підручника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. Крім того, передбачено декілька специфічних для KCM " +"параметрів." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" +msgstr "socket_path (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." +msgstr "Сокет, на якому очікуватиме на з'єднання служба KCM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -"Проєкт <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"було створено для урегулювання цієї проблеми у хмароподібних середовищах, " -"але нам ця ідея здалася вартою уваги навіть на рівні окремої ізольованої " -"системи. Як служба захисту, SSSD є ідеальним місцем для реалізації такої " -"можливості з доступом до відповідного програмного інтерфейсу через сокети " -"UNIX. Така реалізація уможливлює використання локальних викликів і належну " -"маршрутизацію до локального або віддаленого сховища ключів, зокрема сховища " -"IPA, для зберігання, депонування і відновлення даних." +"Типове значення: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +#, fuzzy +#| msgid "max_secrets (integer)" +msgid "max_ccaches (integer)" +msgstr "max_secrets (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." msgstr "" -"Записи реєстраційних даних є простими парами ключ-значення. Реєстраційні " -"дані кожного з користувачів співвідносяться із його простором назв на основі " -"ідентифікатора користувача. Це означає, що реєстраційні дані одного " -"користувача ніколи не потраплять до іншого. Реєстраційні дані зберігаються у " -"<quote>контейнерах</quote>, які можна вкладати один у одного." -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" -msgstr "secrets" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" -msgstr "записи реєстраційних даних для загального використання" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +#, fuzzy +#| msgid "max_uid_secrets (integer)" +msgid "max_uid_ccaches (integer)" +msgstr "max_uid_secrets (ціле число)" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" -msgstr "kcm" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:220 +msgid "" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 64" +msgstr "Типове значення: 6" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +#, fuzzy +#| msgid "max_payload_size (integer)" +msgid "max_ccache_size (integer)" +msgstr "max_payload_size (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:233 msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" -"використовується службою <citerefentry> <refentrytitle>sssd-kcm</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 6" +msgid "Default: 65536" +msgstr "Типове значення: 6" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 +#: sssd-kcm.8.xml:247 msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" -"Оскільки відповідач реєстраційних даних може використовуватися ззовні для " -"зберігання загальних реєстраційних даних, як це описано у решті цієї " -"сторінки підручника, і всередині іншими компонентами SSSD для зберігання " -"власних реєстраційних даних, можна налаштувати деякі параметри, зокрема " -"квоти для окремих записів <quote>hive</quote> у підрозділі налаштувань із " -"назвою відповідного рою. Підтримувані у поточній версії рої: <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" -msgstr "КОРИСТУВАННЯ ВІДПОВІДАЧЕМ РЕЄСТРАЦІЙНИХ ДАНИХ" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "sssd-systemtap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "Дані systemtap SSSD" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 +#: sssd-systemtap.5.xml:23 msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -"Сокет UNIX, на якому відповідач SSSD очікує на дані, розташовано у " -"<filename>/var/run/secrets.socket</filename>." +"Цю сторінку підручника присвячено функціональним можливостям systemtap у " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +"Точки зондування SystemTap додано до різноманітних частин коду SSSD, щоб " +"полегшити усування вад та аналіз пов'язаних зі швидкодією проблем." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -"Відповідач для реєстраційних даних активується за допомогою сокетів " -"<citerefentry> <refentrytitle>systemd</refentrytitle> <manvolnum>1</" -"manvolnum> </citerefentry>. На відміну від інших відповідачів SSSD, його не " -"можна запустити додаванням рядка <quote>secrets</quote> до інструкції " -"<quote>service</quote>. Модуль сокета systemd називається <quote>sssd-" -"secrets.socket</quote>, а відповідний файл служби має назву <quote>sssd-" -"secrets.service</quote>. Щоб службу можна було активувати за допомогою " -"сокета, слід увімкнути і задіяти сокет, а потім увімкнути службу: " -"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що " -"відповідні налаштування модулів вже могло бути виконано засобами вашого " -"дистрибутива." +"Зразки скриптів SystemTap зберігаються у каталозі /usr/share/sssd/systemtap/" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -"Відповідачу реєстраційних даних можна передавати типові параметри " -"відповідача SSSD, зокрема <quote>debug_level</quote> та <quote>fd_limit</" -"quote>. Із повним списком параметрів можна ознайомитися на сторінці " -"підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>. Крім того, передбачено декілька " -"специфічних для реєстраційних даних параметрів." +"Зонди і різноманітні функції визначено у /usr/share/systemtap/tapset/sssd." +"stp і /usr/share/systemtap/tapset/sssd_functions.stp, відповідно." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "ТОЧКИ ЗОНДУВАННЯ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -"Відповідач реєстраційних даних налаштовується за допомогою загального " -"розділу <quote>[secrets]</quote> і необов'язкових розділів <quote>[secrets/" -"users/$uid]</quote> для окремих користувачів у <filename>sssd.conf</" -"filename>. Будь ласка, зауважте, що деякі параметра, зокрема тип " -"постачальника даних, можна вказати лише у підрозділах окремих користувачів." +"Дані у наведених нижче списках точок зондування та аргументів записано у " +"такому форматі:" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" -msgstr "provider (рядок)" +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "зонд $назва" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" -msgstr "local" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "Опис точки зондування" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -"Реєстраційні дані зберігаються у локальній базі даних, зашифровані, разом із " -"іншими даними, за допомогою основного ключа. Для локального засобу надання " -"даних у поточній версії не передбачено жодних додаткових параметрів." +"змінна1:тип даних\n" +"змінна2:тип даних\n" +"змінна3:тип даних\n" +"...\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" -msgstr "proxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "Зонди операцій із базою даних" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "зонд sssd_transaction_start" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." -msgstr "" -"Відповідач реєстраційних даних переспрямовує запити до сервера Custodia. Для " -"засобу надання даних «proxy» передбачено декілька додаткових параметрів " -"(див. нижче)." +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "Розпочати операцію sysdb, зондує функцію sysdb_transaction_start()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -"Цей параметр визначає, де слід зберігати реєстраційні дані. Відповідач " -"реєстраційних даних може налаштувати підрозділи для окремих користувачів " -"(наприклад, <quote>[secrets/users/123]</quote> — див. нижню частину цієї " -"сторінки підручників, де наведено повний приклад використання Custodia для " -"окремого користувача), які визначатимуть, яке сховище відповідача " -"зберігатиме дані певного користувача. Підрозділи окремих користувачів мають " -"містити усі параметри відповідного засобу надання даних користувача. Будь " -"ласка, зауважте, що у поточній версії загальний постачальних даних з завжди " -"локальним, а проміжного постачальника можна вказати лише для окремого " -"користувача у відповідному розділі. Передбачено підтримку таких " -"відповідачів: <placeholder type=\"variablelist\" id=\"0\"/>" +"nesting:ціле число\n" +"probestr:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" -msgstr "Типове значення: local" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "зонд sssd_transaction_cancel" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." -msgstr "" -"Наведені нижче параметри стосуються лише записів реєстраційних даних " -"<quote>hive</quote> і тому їх слід встановлювати у підрозділах окремих роїв. " -"Встановлення значення параметра 0 означає «без обмежень»." +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" +"Скасовування операції sysdb, зондує функцію sysdb_transaction_cancel() ." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" -msgstr "containers_nest_level (ціле значення)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "зонд sssd_transaction_commit_before" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." -msgstr "" -"Цей параметр визначає максимальну дозволену кількість вкладених контейнерів." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "Зондує функцію sysdb_transaction_commit_before()." -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" -msgstr "Типове значення: 4" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "зонд sssd_transaction_commit_after" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" -msgstr "max_secrets (ціле значення)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "Зондує функцію sysdb_transaction_commit_after()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 -msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." -msgstr "" -"Цей параметр визначає максимальну кількість записів реєстраційних даних, які " -"можна зберігати у рою." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "Зонди пошуку у LDAP" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" -msgstr "Типове значення: 1024 (рій реєстраційних даних), 256 (рій kcm)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "зонд sdap_search_send" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" -msgstr "max_uid_secrets (ціле число)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "Зондує функцію sdap_get_generic_ext_send()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, fuzzy, no-wrap +#| msgid "" +#| "base:string\n" +#| "scope:integer\n" +#| "filter:string\n" +#| "probestr:string\n" +#| " " msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -"Цей параметр визначає максимальну кількість записів реєстраційних даних, які " -"можна зберігати окремо для різних UID у рою." +"base:рядок\n" +"scope:ціле число\n" +"filter:рядок\n" +"probestr:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" -msgstr "Типове значення: 256 (рій реєстраційних даних), 64 (рій kcm)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" +msgstr "зонд sdap_search_recv" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" -msgstr "max_payload_size (ціле значення)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "Зондує функцію sdap_get_generic_ext_recv()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -"Цей параметри визначає максимальний об'єм даних для реєстраційного запису у " -"кілобайтах." +"base:рядок\n" +"scope:ціле число\n" +"filter:рядок\n" +"probestr:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" -msgstr "" -"Типове значення: 16 (рій реєстраційних даних), 65536 (64 МіБ) (рій kcm)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +#, fuzzy +#| msgid "probe sdap_deref_send" +msgid "probe sdap_parse_entry" +msgstr "зонд sdap_deref_send" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, fuzzy, no-wrap +#| msgid "" +#| "filter:string\n" +#| " " msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"attr:string\n" +"value:string\n" +" " msgstr "" -"Наприклад, щоб встановити різні квоти для роїв <quote>secrets</quote> та " -"<quote>kcm</quote>, скористайтеся такими рядками: <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"filter:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +#, fuzzy +#| msgid "probe dp_req_done" +msgid "probe sdap_parse_entry_done" +msgstr "зонд dp_req_done" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -"Вказані нижче параметри стосуються лише конфігурацій, у яких " -"використовується засіб надання даних <quote>proxy</quote>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" -msgstr "proxy_url (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" +msgstr "зонд sdap_deref_send" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." +msgstr "Зондує функцію sdap_deref_search_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -"Адреса, за якою очікуватиме на дані сервер Custodia. У поточній версії " -"передбачено підтримку протоколів http і https." +"base_dn:рядок\n" +"deref_attr:рядок\n" +"probestr:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" -msgstr "http[s]://<вузол>[:порт]" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" +msgstr "зонд sdap_deref_recv" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" -msgstr "Приклад: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "Зондує функцію sdap_deref_search_recv()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" -msgstr "auth_type (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" +msgstr "Зонди запитів щодо облікових записів у LDAP" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 -msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" -msgstr "" -"Спосіб розпізнавання сервером Custodia. Передбачено підтримку таких способів " -"розпізнавання:" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" +msgstr "зонд sdap_acct_req_send" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" -msgstr "basic_auth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." +msgstr "Зондує функцію sdap_acct_req_send()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 +#, no-wrap msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -"Виконати розпізнавання на основі імені користувача і пароля, які визначено " -"параметрами <quote>username</quote> і <quote>password</quote>." +"entry_type:ціле число\n" +"filter_type:ціле число\n" +"filter_value:рядок\n" +"extra_value:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" +msgstr "зонд sdap_acct_req_recv" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "Зондує функцію sdap_acct_req_recv()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" -msgstr "header" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" +msgstr "Зонди пошуку користувачів у LDAP" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." -msgstr "" -"Виконати розпізнавання за допомогою значення заголовка HTTP, як його " -"визначено у параметрах налаштування <quote>auth_header_name</quote> і " -"<quote>auth_header_value</quote>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" +msgstr "зонд sdap_search_user_send" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" -msgstr "auth_header_name (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." +msgstr "Зондує функцію sdap_search_user_send()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"filter:string\n" +" " msgstr "" -"Якщо встановлено, відповідач реєстраційних даних додаватиме заголовок із " -"цією назвою до запиту HTTP разом із значенням, яке визначається параметром " -"налаштування <quote>auth_header_value</quote>." +"filter:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" -msgstr "Приклад: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" +msgstr "зонд sdap_search_user_recv" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" -msgstr "auth_header_value (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." +msgstr "Зондує функцію sdap_search_user_recv()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 -msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." -msgstr "" -"Значення, яке sssd-secrets має використовувати для <quote>auth_header_name</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" +msgstr "зонд sdap_search_user_save_begin" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" -msgstr "Приклад: mysecret" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "Зондує функцію sdap_search_user_save_begin()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" -msgstr "forward_headers (список рядків)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" +msgstr "зонд sdap_search_user_save_end" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 -msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." -msgstr "" -"Список заголовків HTTP, які слід переспрямувати до сервера Custodia разом із " -"запитом." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "Зондує функцію sdap_search_user_save_end()." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" -msgstr "verify_peer (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" +msgstr "Зонди запитів до постачальника даних" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 -msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." -msgstr "" -"Визначає, чи слід перевіряти сертифікат вузла і чи слід вважати його чинним, " -"якщо для засобу надання даних проксі використано протокол HTTPS." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" +msgstr "зонд dp_req_send" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" -msgstr "verify_host (булеве значення)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." +msgstr "Подано запит до постачальника даних." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -"Визначає, чи має назва вузла збігатися із назвою вузла у його сертифікаті, " -"якщо для засобу надання даних проксі використано протокол HTTPS." +"dp_req_domain:рядок\n" +"dp_req_name:рядок\n" +"dp_req_target:ціле число\n" +"dp_req_method:ціле число\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" -msgstr "capath (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" +msgstr "зонд dp_req_done" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." +msgstr "Завершено виконання запиту до постачальника даних." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -"Шлях до каталогу, у якому зберігаються сертифікати служб сертифікації. Якщо " -"для цього параметра не встановлено значення, використовуватиметься " -"загальносистемний типовий шлях." +"dp_req_name:рядок\n" +"dp_req_target:ціле число\n" +"dp_req_method:ціле число\n" +"dp_ret:ціле число\n" +"dp_errorstr:рядок\n" +" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" -msgstr "cacert (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "РІЗНОМАНІТНІ ФУНКЦІЇ" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 -msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." -msgstr "" -"Шлях до файла, у якому міститься сертифікат служби сертифікації сервера. " -"Якщо для цього параметра не встановлено значення, програма шукатиме " -"сертифікат CA у <quote>capath</quote>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" +msgstr "функція acct_req_desc(entry_type)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" -msgstr "cert (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" +msgstr "Перетворення entry_type на рядок і повернення рядка" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -"Шлях до файла, що містить клієнтський сертифікат, якщо такий потрібен для " -"сервера. Цей файл може також містити закритий ключ. Закритий ключ можна " -"також зберігати у файлі, назву якого встановлено за допомогою параметра " -"<quote>key</quote>." +"функція sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" -msgstr "key (рядок)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" +msgstr "Створення рядка зонду на основі типу фільтрування" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." -msgstr "Шлях до файла, у якому міститься закритий ключ клієнта." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" +msgstr "функція dp_target_str(target)" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" -msgstr "КОРИСТУВАННЯ API REST" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" +msgstr "Перетворення target на рядок і повернення рядка" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 -msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." -msgstr "" -"У цьому розділі наведено список доступних команд та приклади користування із " -"використанням програми <citerefentry> <refentrytitle>curl</refentrytitle> " -"<manvolnum>1</manvolnum> </citerefentry>. Усі запити до засобу надання даних " -"проксі мають встановлювати для заголовка Content Type значення " -"<quote>application/json</quote>. Крім того, для локального засобу надання " -"даних передбачено підтримку встановлення для Content Type значення " -"<quote>application/octet-stream</quote>. Реєстраційні дані, збережені із " -"запитами, де встановлено значення заголовка Content Type <quote>application/" -"octet-stream</quote>, є даними у кодуванні base64 у сховищі, які " -"розшифровуються під час отримання, тому не можна зберігати реєстраційні дані " -"із одним значенням Content Type і отримувати з іншим. Адреса реєстраційних " -"даних має починатися з <filename>/secrets/</filename>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" +msgstr "функція dp_method_str(target)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" -msgstr "Отримання списку реєстраційних даних" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" +msgstr "Перетворення методу на рядок і повернення рядка" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" -"Щоб отримати список доступних реєстраційних даних, надішліть запит HTTP GET " -"із кінцевою навскісною рискою у шляху до контейнера." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:412 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" -msgstr "Отримання реєстраційних даних" +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -"Щоб прочитати значення окремого запису реєстраційних даних, надішліть запит " -"HTTP GET без кінцевої навскісної риски. Остання частина адреси вважатиметься " -"назвою запису реєстраційних даних." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +#, fuzzy +#| msgid "ldap_deref (string)" +msgid "ldap_perf.stp" +msgstr "ldap_deref (рядок)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -"Приклади: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" -msgstr "Встановлення реєстраційних даних" +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" +msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -"Щоб встановити запис реєстраційних даних з використанням типу " -"<quote>application/json</quote>, надішліть запит HTTP PUT із даними JSON, " -"які включатимуть тип і значення. Тип (type) має бути встановлено у значення " -"\"simple\", а значення (value) має містити дані реєстраційного запису. Якщо " -"запис із вказаною назвою вже існує, відповіддю буде повідомлення про помилку " -"409 HTTP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 -msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +#, fuzzy +#| msgid "sssd-ldap" +msgid "sssd-ldap-attributes" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +#, fuzzy +#| msgid "SSSD LDAP provider" +msgid "SSSD LDAP Provider: Mapping Attributes" +msgstr "Модуль надання даних LDAP SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap-attributes.5.xml:23 +#, fuzzy +#| msgid "" +#| "This manual page describes the configuration of LDAP domains for " +#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>. Refer to the <quote>FILE FORMAT</quote> " +#| "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +#| "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +#| "information." +msgid "" +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -"Тип <quote>application/json</quote> просто надсилає реєстраційний ключ як " -"вміст повідомлення." +"На цій сторінці довідника описано налаштування доменів LDAP для " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " +"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." +msgstr "Клас об’єктів запису користувача у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" +msgstr "Типове значення: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "Атрибут LDAP, що відповідає назві облікового запису користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Типове значення: uid (rfc2307, rfc2307bis і IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "Атрибут LDAP, що відповідає ідентифікатору користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" +msgstr "Типове значення: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "Атрибут LDAP, що відповідає ідентифікатору основної групи користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" +msgstr "Типове значення: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" +msgstr "ldap_user_primary_group (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Атрибут основної групи Active Directory для встановлення відповідності " +"ідентифікатора. Зауважте, що цей атрибут слід встановлювати вручну, лише " +"якщо ви користуєтеся засобом надання даних <quote>ldap</quote> з прив'язкою " +"до ідентифікаторів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "Типове значення: unset (LDAP), primaryGroupID (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "Атрибут LDAP, що відповідає полю gecos користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" +msgstr "Типове значення: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "Атрибут LDAP, що містить назву домашнього каталогу користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" +"Атрибут LDAP, що містить шлях до типової командної оболонки користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" +msgstr "Типове значення: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта користувача LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -"У наведеному нижче прикладі ми встановлюємо для реєстраційних даних із " -"назвою «foo» значення «foosecret», а для реєстраційних даних із назвою «bar» " -"— значення «barsecret», використовуючи різні значення Content Type. " -"<placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Типове значення: не встановлено у загальному випадку, objectGUID для AD і " +"ipaUniqueID для IPA" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" -msgstr "Створення контейнера" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -"Контейнери надають додатковий простір назв для реєстраційних даних цього " -"користувача. Для створення контейнера надішліть запит HTTP POST, чи я адреса " -"завершуватиметься назвою контейнера. Будь ласка, зауважте, що адреса має " -"завершуватися символом навскісної риски." +"Атрибут LDAP, що містить objectSID об’єкта користувача LDAP. Зазвичай, " +"потрібен лише для серверів ActiveDirectory." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"Типове значення: objectSid для ActiveDirectory, не встановлено для інших " +"серверів." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 -msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" -msgstr "" -"У наступному прикладі створюємо контейнер із назвою «mycontainer»: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Атрибут LDAP, що містить часову позначку останньої зміни батьківського " +"об’єкта." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" -"Щоб працювати із записами реєстраційних даних у цьому контейнері, просто " -"вкладіть записи реєстраційних даних до шляху контейнера: <placeholder type=" -"\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" +msgstr "Типове значення: modifyTimestamp" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" -msgstr "Вилучення реєстраційних даних або контейнера" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -"Щоб вилучити запис реєстраційних даних або контейнер, надішліть запит HTTP " -"DELETE із шляхом до запису реєстраційних даних або до контейнера." +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (дати останньої зміни пароля)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" +msgstr "Типове значення: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (мінімального віку пароля)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" +msgstr "Типове значення: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." msgstr "" -"У наведеному нижче прикладі ми вилучимо реєстраційні дані для запису «foo». " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (максимального віку пароля)." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" -msgstr "ПРИКЛАД НАЛАШТОВУВАННЯ МОДУЛІВ НАДАННЯ ДАНИХ CUSTODIA І ПРОКСІ" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" +msgstr "Типове значення: shadowMax" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -"Для тестування засобу надання даних «proxy» вам слід налаштувати проксі-" -"передавання на сервер Custodia. Будь ласка, завжди користуйтеся " -"документацією до Custodia, оскільки інструкції налаштовування у різних " -"версіях Custodia можуть бути різними." +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (проміжку попередження щодо пароля)." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" +msgstr "Типове значення: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (тривалості періоду невикористання пароля)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" +msgstr "Типове значення: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -"Ці налаштування визначають для сервера Custodia адресу очікування даних " -"http://localhost:8080, дозволяють будь-кому із заголовком із назвою " -"MYSECRETNAME, який встановлено у значення mysecretkey, обмін даними із " -"сервером Custodia. Запишіть ці дані до файла (наприклад, " -"<replaceable>custodia.conf</replaceable>): <placeholder type=\"programlisting" -"\" id=\"0\"/>" +"У разі використання ldap_pwd_policy=shadow або " +"ldap_account_expire_policy=shadow цей параметр містить назву атрибута LDAP, " +"який є відповідником параметра <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> (дати завершення " +"строку дії пароля)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" +msgstr "Типове значення: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -"Далі, віддайте команду <replaceable>custodia</replaceable>, вказавши файл " -"налаштувань у параметрі командного рядка." +"Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить " +"назву атрибута LDAP, у якому зберігається дата і час останньої зміни пароля " +"у kerberos." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" +msgstr "Типове значення: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -"Будь ласка, зверніть увагу на те, що у поточній версії неможливо на " -"загальному рівні переспрямовувати усі запити до екземпляра Custodia. Замість " -"цього слід визначати підрозділи для окремих ідентифікаторів користувачів, " -"які переспрямовуватимуть запити до Custodia. У наведеному нижче прикладі " -"проілюстровано конфігурацію, за якої запити користувача із UID 123 " -"переспрямовуватимуться до Custodia, а запити усіх інших користувачів " -"оброблятимуться локальним засобом надання даних." +"Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить " +"назву атрибута LDAP, у якому зберігається дата і час завершення строку дії " +"поточного пароля." -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" +msgstr "Типове значення: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +"Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву " +"атрибута LDAP, у якому зберігаються дані щодо строку завершення дії " +"облікового запису." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" -msgstr "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" +msgstr "Типове значення: accountExpires" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" -msgstr "Налаштовування записів сеансів за допомогою SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (рядок)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -"На цій сторінці підручника описано налаштовування <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"на роботу з <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, частиною пакунка tlog, для " -"реалізації записування сеансів користувачів у текстових терміналах. " -"Докладний довідник щодо синтаксису налаштувань можна знайти у розділі " -"<quote>ФОРМАТ ФАЙЛА</quote> сторінки підручника з <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву " +"атрибута LDAP, у якому зберігаються дані щодо поля контрольного біта " +"облікового запису користувача." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" +msgstr "Типове значення: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -"SSSD можна налаштувати так, щоб уможливити запис усіх даних, які бачать або " -"вводять протягом сеансу у текстових терміналах вказані користувачі. " -"Наприклад, можна записувати дані щодо входу користувачів за допомогою " -"консолі або SSH. Сама SSSD нічого не записує, а лише забезпечує запуск tlog-" -"rec-session під час входу до системи користувача, щоб можна було здійснювати " -"запис відповідно до налаштувань." +"Якщо вказано ldap_account_expire_policy=rhds або еквівалентне налаштування, " +"цей параметр визначає, заборонено чи дозволено доступ." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" +msgstr "Типове значення: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -"Для користувачів, для яких увімкнено запис сеансів, SSSD замінює командну " -"оболонку користувача на tlog-rec-session у відповідях NSS і додає змінну, " -"яка вказує на початкову командну оболонку до середовища користувача у " -"налаштування сеансу PAM. Таким чином забезпечується запуск tlog-rec-session " -"замість командної оболонки користувача і надання даних про те, яку командну " -"оболонку слід запустити, щойно розпочнеться записування." +"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає, дозволено " +"чи заборонено доступ." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." -msgstr "Цими параметрами можна скористатися для налаштовування запису сеансів." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" +msgstr "Типове значення: loginDisabled" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -"У наведеному нижче фрагменті файла sssd.conf увімкнено запис сеансів для " -"користувачів contractor1 і contractor2» та групи students." +"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає дату, до " +"якої надано доступ." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" +"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає годити дня " +"тижня, коли надається доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" +msgstr "Типове значення: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +"Атрибут LDAP, що містить Kerberos User Principal Name (UPN) користувача." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" -msgstr "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" +msgstr "Типове значення: krbPrincipalName" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" -msgstr "Керування кешем Kerberos SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (рядок)" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -"На цій сторінці підручника описано налаштування засобу керування кешем " -"Kerberos SSSD (Kerberos Cache Manager або KCM). KCM є процесом, який " -"зберігає, стежить і керує кешем реєстраційних даних Kerberos. Ідея створення " -"засобу походить із проєкту Heimdal Kerberos, хоча у бібліотеці Kerberos MIT " -"також надається підтримка з боку клієнта для кешу реєстраційних даних KCM " -"(докладніше про це нижче)." +"Відокремлений комами список атрибутів LDAP, які SSSD має отримувати разом зі " +"звичайним набором атрибутів запису користувача." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." msgstr "" -"У конфігураціях, де кешем Kerberos керує KCM, бібліотека Kerberos (типово " -"використовується за допомогою якоїсь програми, наприклад <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>) є <quote>клієнтом KCM</quote>, а фонова служба KCM вважається " -"<quote>сервером KCM</quote>. Клієнт і сервер обмінюються даними за допомогою " -"сокета UNIX." +"Список може або містити лише назви атрибутів LDAP, або відокремлені " +"двокрапками кортежі з назви атрибута кешу SSSD та назви атрибута LDAP. Якщо " +"вказано лише назву атрибута LDAP, атрибут зберігається до кешу буквально. " +"Використання нетипової назви атрибута SSSD може бути потрібним середовищам, " +"де налаштовано декілька доменів SSSD з різними схемами LDAP." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." msgstr "" -"Сервер KCM стежити за кожним власником кешу реєстраційних даних і виконує " -"перевірку прав доступу на основі UID і GID клієнта KCM. Користувач root має " -"доступ до усіх кешів реєстраційних даних." +"Будь ласка, зауважте, що декілька назв атрибутів зарезервовано SSSD, зокрема " +"атрибут «name». SSSD повідомить про помилку, якщо будь-які із зарезервованих " +"назв атрибутів використано як назву додаткового атрибута." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" -msgstr "Кеш реєстраційних даних KCM має декілька цікавих властивостей:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -"оскільки процес виконується у просторі користувача, він підлягає обмеженням " -"за простором назв UID, на відміну від набору ключів ядра" +"Зберегти атрибут «telephoneNumber» з LDAP як «telephoneNumber» до кешу." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" -msgstr "" -"на відміну від кешу на основі наборів ключів ядра, який є спільним для усіх " -"контейнерів, сервер KCM є окремим процесом, чия точка входу є сокетом UNIX" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "Зберегти атрибут «telephoneNumber» з LDAP як «phone» до кешу." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 -#, fuzzy -#| msgid "" -#| "the SSSD implementation stores the ccaches in the SSSD <citerefentry> " -#| "<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" -#| "citerefentry> secrets store, allowing the ccaches to survive KCM server " -#| "restarts or machine reboots." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "Атрибут LDAP, який містить відкриті ключі SSH користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" +msgstr "Типове значення: sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "Атрибут LDAP, що відповідає повному імені користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "Атрибут LDAP зі списком груп, у яких бере участь користувач." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "Типове значення: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -"реалізація у SSSD зберігає ccache-і у сховищі реєстраційних даних " -"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> SSSD, що надає змогу ccache-ам переживати " -"перезапуски сервера KCM та перезавантаження комп'ютера." +"Якщо access_provider=ldap і ldap_access_order=authorized_service, SSSD " +"використовуватиме наявність атрибута authorizedService у записі користувача " +"LDAP для визначення прав доступу." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -"Це надає змогу системі використовувати кеш реєстраційних даних із " -"врахуванням збірок, одночасно надаючи спільний доступ до кешу реєстраційних " -"даних для декількох контейнерів або без контейнерів взагалі шляхом " -"прив'язування-монтування сокета." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" -msgstr "КОРИСТУВАННЯ КЕШЕМ РЕЄСТРАЦІЙНИХ ДАНИХ KCM" +"Спочатку визначаються явні заборони (!svc). Далі SSSD шукає явні дозволи " +"(svc) і нарешті загальні дозволи або allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>authorized_service</quote>, щоб " +"система змогла скористатися параметром ldap_user_authorized_service." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -"Для використання кешу реєстраційних даних KCM його слід вибрати стандартним " -"типом реєстраційних даних у <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Назвою кешу " -"реєстраційних даних має бути лише <quote>KCM:</quote> без будь-яких " -"розширень шаблонами. Приклад: <placeholder type=\"programlisting\" id=\"0\"/>" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" +msgstr "Типове значення: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -"Далі, слід визначити однаковий шлях до сокета UNIX для клієнтських бібліотек " -"Kerberos і сервера KCM. Типово, у обох випадках використовується однаковий " -"шлях <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. Для " -"налаштовування бібліотеки Kerberos змініть значення її параметра " -"<quote>kcm_socket</quote>, як це описано на сторінці підручника " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"Якщо access_provider=ldap і ldap_access_order=host, SSSD використовуватиме " +"наявність атрибута host у записі користувача LDAP для визначення прав " +"доступу." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +"Спочатку визначаються явні заборони (!host). Далі SSSD шукає явні дозволи " +"(host) і нарешті загальні дозволи або allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -"Нарешті, переконайтеся, що з сервером KCM SSSD можна встановити зв'язок. " -"Типово, служба KCM вмикається за допомогою сокета з <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. На відміну від інших служб SSSD, її не можна запустити " -"додаванням рядка <quote>kcm</quote> до інструкції <quote>service</quote>. " -"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що " -"відповідні налаштування модулів вже могло бути виконано засобами вашого " -"дистрибутива." +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>host</quote>, щоб можна було " +"скористатися параметром ldap_user_authorized_host." -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" -msgstr "СХОВИЩЕ КЕШУ РЕЄСТРАЦІЙНИХ ДАНИХ" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" +msgstr "Типове значення: host" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" +msgstr "ldap_user_authorized_rhost (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -"Кеші реєстраційних даних зберігаються у базі даних, дуже подібно до кешів " -"записів користувачів і груп SSSD. Типово, база даних зберігається у <quote>/" -"var/lib/sss/secrets</quote>." - -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" -msgstr "ОТРИМАННЯ ДІАГНОСТИЧНОГО ЖУРНАЛУ" +"Якщо access_provider=ldap і ldap_access_order=rhost, SSSD використовуватиме " +"наявність атрибута rhost у записі користувача LDAP для визначення прав " +"доступу. Те саме стосується і процесу перевірки вузла." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -"[kcm]\n" -"debug_level = 10\n" -" " +"Спочатку визначаються явні заборони (!rhost). Далі SSSD шукає явні дозволи " +"(rhost) і нарешті загальні дозволи або allow_all (*)." -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"systemctl restart sssd-kcm.service\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -"systemctl restart sssd-kcm.service\n" -" " +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>rhost</quote>, щоб можна було " +"скористатися параметром ldap_user_authorized_rhost." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" +msgstr "Типове значення: rhost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "Назва атрибута LDAP, що містить сертифікат X509 користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "Типове значення: userCertificate;binary" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" +msgstr "ldap_user_email (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -"Типово, служба sssd-kcm активує крізь сокет <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Для створення діагностичних журналів додайте вказані нижче " -"рядки або безпосередньо до файла <filename>/etc/sssd/sssd.conf</filename>, " -"або як фрагмент налаштувань до каталогу <filename>/etc/sssd/conf.d/</" -"filename>: <placeholder type=\"programlisting\" id=\"0\"/> Далі, " -"перезапустіть службу sssd-kcm: <placeholder type=\"programlisting\" id=\"1\"/" -"> Нарешті, виконайте дії, які не призводять до бажаних для вас наслідків. " -"Журнал KCM буде записано до <filename>/var/log/sssd/sssd_kcm.log</filename>. " -"Рекомендуємо вимкнути ведення діагностичного журналу, якщо вам не потрібні " -"діагностичні дані, оскільки служба sssd-kcm може породжувати доволі великий " -"обсяг діагностичних даних." +"Назва атрибута LDAP, який містить адресу електронної пошти користувача." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -"Будь ласка, зауважте, що у поточній версії фрагменти налаштувань буде " -"оброблено, лише якщо взагалі існує основний файл налаштувань <filename>/etc/" -"sssd/sssd.conf</filename>." +"Зауваження: якщо адреса електронної пошти користувача конфліктує із адресою " +"електронної пошти або повним ім'ям іншого користувача, SSSD не зможе " +"обслуговувати належним чином записи таких користувачів. Якщо з якоїсь " +"причини у декількох користувачів має бути одна адреса електронної пошти, " +"встановіть для цього параметра довільну назву атрибута, щоб вимкнути пошук і " +"вхід до системи за адресою електронної пошти." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" +msgstr "Типове значення: mail" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." +msgstr "Клас об’єктів запису групи у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" +msgstr "Типове значення: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "Атрибут LDAP, що відповідає назві групи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Типове значення: cn (rfc2307, rfc2307bis і IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "Атрибут LDAP, що відповідає ідентифікатору групи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "Атрибут LDAP, у якому містяться імена учасників групи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Типове значення: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта групи LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" +"Атрибут LDAP, що містить objectSID об’єкта групи LDAP. Зазвичай, потрібен " +"лише для серверів ActiveDirectory." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 #, fuzzy -#| msgid "" -#| "This manual page describes the files provider for <citerefentry> " -#| "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -#| "citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -#| "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#| msgid "ldap_group_name (string)" +msgid "ldap_group_type (string)" +msgstr "ldap_group_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -"На цій сторінці довідника описано налаштування засобу обробки файлів для " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " -"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"Атрибут LDAP, що містить ціле значення і позначає тип групи, а також, " +"можливо, інші прапорці." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -"Службі kcm можна передавати типові параметри служби SSSD, зокрема " -"<quote>debug_level</quote> та <quote>fd_limit</quote> Із повним списком " -"параметрів можна ознайомитися на сторінці підручника <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>. Крім того, передбачено декілька специфічних для KCM " -"параметрів." +"Цей атрибут у поточній версії використовується лише засобом надання даних AD " +"для визначення, чи є група локальною групою домену і чи має бути її " +"відфільтровано у списку надійних (довірених) доменів." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" -msgstr "socket_path (рядок)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" +"Типове значення: groupType у засобі надання даних AD, у інших засобах не " +"встановлено" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." -msgstr "Сокет, на якому очікуватиме на з'єднання служба KCM." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" +msgstr "ldap_group_external_member (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -"Типове значення: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -#, fuzzy -#| msgid "max_secrets (integer)" -msgid "max_ccaches (integer)" -msgstr "max_secrets (ціле значення)" +"Атрибут LDAP, який посилається на записи учасників групи, які визначено у " +"зовнішньому домені. У поточній версії передбачено підтримку лише зовнішніх " +"записів учасників IPA." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" +"Типове значення: ipaExternalMember у засобі надання даних IPA, у інших " +"засобах не визначено." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -#, fuzzy -#| msgid "max_uid_secrets (integer)" -msgid "max_uid_ccaches (integer)" -msgstr "max_uid_secrets (ціле число)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." -msgstr "" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "Клас об’єктів запису мережевої групи (netgroup) у LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 64" -msgstr "Типове значення: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "У надавачі даних IPA має бути використано ipa_netgroup_object_class." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -#, fuzzy -#| msgid "max_payload_size (integer)" -msgid "max_ccache_size (integer)" -msgstr "max_payload_size (ціле значення)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" +msgstr "Типове значення: nisNetgroup" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 -msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "Атрибут LDAP, що відповідає назві мережевої групи (netgroup)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "У надавачі даних IPA має бути використано ipa_netgroup_name." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" +"Атрибут LDAP, у якому містяться імена учасників мережевої групи (netgroup)." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 6" -msgid "Default: 65536" -msgstr "Типове значення: 6" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "У надавачі даних IPA має бути використано ipa_netgroup_member." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" +msgstr "Типове значення: memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +"Атрибут LDAP, що містить трійки мережевої групи (вузол, користувач, домен)." -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" -msgstr "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." +msgstr "Цим параметром не можна скористатися у надавачі даних IPA." -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" -msgstr "Дані systemtap SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" +msgstr "Типове значення: nisNetgroupTriple" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (рядок)" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -"Цю сторінку підручника присвячено функціональним можливостям systemtap у " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" +msgstr "ldap_host_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." +msgstr "Клас об’єктів запису вузла у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" +msgstr "Типове значення: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" +msgstr "ldap_host_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "Атрибут LDAP, що відповідає назві вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" +msgstr "ldap_host_fqdn (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." -msgstr "" -"Точки зондування SystemTap додано до різноманітних частин коду SSSD, щоб " -"полегшити усування вад та аналіз пов'язаних зі швидкодією проблем." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "Атрибут LDAP, що відповідає повній назві вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "Типове значення: fqdn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" +msgstr "ldap_host_serverhostname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" +msgstr "Типове значення: serverHostname" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" +msgstr "ldap_host_member_of (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "Атрибут LDAP зі списком груп, у яких бере участь вузол." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" +msgstr "ldap_host_ssh_public_key (рядок)" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" -msgstr "" -"Зразки скриптів SystemTap зберігаються у каталозі /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "Атрибут LDAP, який містить відкриті ключі SSH вузла." -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." -msgstr "" -"Зонди і різноманітні функції визначено у /usr/share/systemtap/tapset/sssd." -"stp і /usr/share/systemtap/tapset/sssd_functions.stp, відповідно." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" +msgstr "ldap_host_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта вузла LDAP." #. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" -msgstr "ТОЧКИ ЗОНДУВАННЯ" +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "РОЗДІЛИ СЛУЖБ" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" -msgstr "" -"Дані у наведених нижче списках точок зондування та аргументів записано у " -"такому форматі:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" -msgstr "зонд $назва" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." +msgstr "Клас об’єктів запису служби у LDAP." -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" -msgstr "Опис точки зондування" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (рядок)" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -"змінна1:тип даних\n" -"змінна2:тип даних\n" -"змінна3:тип даних\n" -"...\n" -" " +"Атрибут LDAP, що містить назву атрибутів служби та замінників цих атрибутів." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" -msgstr "Зонди операцій із базою даних" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" -msgstr "зонд sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "Атрибут LDAP, що містить номер порту, яким керує ця служба." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." -msgstr "Розпочати операцію sysdb, зондує функцію sysdb_transaction_start()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "Типове значення: ipServicePort" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " -msgstr "" -"nesting:ціле число\n" -"probestr:рядок\n" -" " +"The LDAP attribute that contains the protocols understood by this service." +msgstr "Атрибут LDAP, що містить протоколи, за яким може працювати ця служба." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" -msgstr "зонд sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" +msgstr "Типове значення: ipServiceProtocol" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -"Скасовування операції sysdb, зондує функцію sysdb_transaction_cancel() ." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" -msgstr "зонд sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." -msgstr "Зондує функцію sysdb_transaction_commit_before()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "Клас об’єктів запису правила sudo у LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" -msgstr "зонд sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" +msgstr "Типове значення: sudoRole" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." -msgstr "Зондує функцію sysdb_transaction_commit_after()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" -msgstr "Зонди пошуку у LDAP" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "Атрибут LDAP, що відповідає назві правила sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" -msgstr "зонд sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." -msgstr "Зондує функцію sdap_get_generic_ext_send()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "Атрибут LDAP, що відповідає назві команди." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " -msgstr "" -"base:рядок\n" -"scope:ціле число\n" -"filter:рядок\n" -"probestr:рядок\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" +msgstr "Типове значення: sudoCommand" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" -msgstr "зонд sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." -msgstr "Зондує функцію sdap_get_generic_ext_recv()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" +"Атрибут LDAP, який відповідає назві вузла (або IP-адресі вузла, IP-мережі " +"вузла, мережевій групі вузла)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" -msgstr "зонд sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" +msgstr "Типове значення: sudoHost" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." -msgstr "Зондує функцію sdap_deref_search_send()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -"base_dn:рядок\n" -"deref_attr:рядок\n" -"probestr:рядок\n" -" " +"Атрибут LDAP, що відповідає назві імені користувача (або UID, назві групи " +"або назві мережевої групи користувача)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" -msgstr "зонд sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" +msgstr "Типове значення: sudoUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." -msgstr "Зондує функцію sdap_deref_search_recv()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" -msgstr "Зонди запитів щодо облікових записів у LDAP" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "Атрибут LDAP, що відповідає параметрам sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" -msgstr "зонд sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" +msgstr "Типове значення: sudoOption" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." -msgstr "Зондує функцію sdap_acct_req_send()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -"entry_type:ціле число\n" -"filter_type:ціле число\n" -"filter_value:рядок\n" -"extra_value:рядок\n" -" " +"Атрибут LDAP, що відповідає користувачеві, від імені якого можна виконувати " +"команди." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" -msgstr "зонд sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" +msgstr "Типове значення: sudoRunAsUser" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." -msgstr "Зондує функцію sdap_acct_req_recv()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" -msgstr "Зонди пошуку користувачів у LDAP" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" +"Атрибут LDAP, що відповідає назві групи або GID, від імені якої можна " +"виконувати команди." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" -msgstr "зонд sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" +msgstr "Типове значення: sudoRunAsGroup" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." -msgstr "Зондує функцію sdap_search_user_send()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -"filter:рядок\n" -" " +"Атрибут LDAP, що відповідає даті і часу набуття чинності правилом sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" -msgstr "зонд sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" +msgstr "Типове значення: sudoNotBefore" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." -msgstr "Зондує функцію sdap_search_user_recv()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" -msgstr "зонд sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "Атрибут LDAP, що відповідає даті і часу втрати чинності правилом sudo." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." -msgstr "Зондує функцію sdap_search_user_save_begin()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" +msgstr "Типове значення: sudoNotAfter" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" -msgstr "зонд sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." -msgstr "Зондує функцію sdap_search_user_save_end()." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "Атрибут LDAP, що відповідає порядковому номеру правила." -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" -msgstr "Зонди запитів до постачальника даних" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" +msgstr "Типове значення: sudoOrder" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" -msgstr "зонд dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +#, fuzzy +#| msgid "AUTOFS OPTIONS" +msgid "AUTOFS ATTRIBUTES" +msgstr "ПАРАМЕТРИ AUTOFS" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." -msgstr "Подано запит до постачальника даних." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." +msgstr "Клас об’єктів запису карти автоматичного монтування у LDAP." + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -"dp_req_domain:рядок\n" -"dp_req_name:рядок\n" -"dp_req_target:ціле число\n" -"dp_req_method:ціле число\n" -" " +"Типове значення: nisMap (rfc2307, autofs_provider=ad), у інших випадках " +"automountMap" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" -msgstr "зонд dp_req_done" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." -msgstr "Завершено виконання запиту до постачальника даних." +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." +msgstr "Назва запису карти автоматичного монтування у LDAP." -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -"dp_req_name:рядок\n" -"dp_req_target:ціле число\n" -"dp_req_method:ціле число\n" -"dp_ret:ціле число\n" -"dp_errorstr:рядок\n" -" " - -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" -msgstr "РІЗНОМАНІТНІ ФУНКЦІЇ" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" -msgstr "функція acct_req_desc(entry_type)" +"Типове значення: nisMapName (rfc2307, autofs_provider=ad), у інших випадках " +"automountMapName" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" -msgstr "Перетворення entry_type на рядок і повернення рядка" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -"функція sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +"Клас об'єктів автоматичного монтування LDAP. Цей запис зазвичай відповідає " +"точні монтування." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" -msgstr "Створення рядка зонду на основі типу фільтрування" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" +"Типове значення: nisObject (rfc2307, autofs_provider=ad), у інших випадках " +"automount" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" -msgstr "функція dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (рядок)" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" -msgstr "Перетворення target на рядок і повернення рядка" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" +"Ключ запису автоматичного монтування LDAP. Цей запис зазвичай відповідає " +"точні монтування." -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" -msgstr "функція dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" +"Типове значення: cn (rfc2307, autofs_provider=ad), у інших випадках " +"automountKey" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" -msgstr "Перетворення методу на рядок і повернення рядка" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (рядок)" + +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" +"Типове значення: nisMapEntry (rfc2307, autofs_provider=ad), у інших випадках " +"automountInformation" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 @@ -21067,6 +21449,65 @@ msgstr "ldap_group_external_member = ipaExternalMember" #~ msgid "Default: homeDirectory" #~ msgstr "Типове значення: homeDirectory" +#~ msgid "ldap_group_type (integer)" +#~ msgstr "ldap_group_type (ціле число)" + +#~ msgid "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +#~ msgstr "" +#~ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +#~ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +#~ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +#~ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the InteractiveLogonRight and " +#~ "DenyInteractiveLogonRight policy settings." +#~ msgstr "" +#~ "Список назв служб PAM, відокремлених комами, для яких керування доступом " +#~ "на основі GPO виконуватиметься на основі параметрів правил " +#~ "InteractiveLogonRight і DenyInteractiveLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the RemoteInteractiveLogonRight and " +#~ "DenyRemoteInteractiveLogonRight policy settings." +#~ msgstr "" +#~ "Список назв служб PAM, відокремлених комами, для яких керування доступом " +#~ "на основі GPO засновано на параметрах захисту RemoteInteractiveLogonRight " +#~ "і DenyRemoteInteractiveLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the NetworkLogonRight and " +#~ "DenyNetworkLogonRight policy settings." +#~ msgstr "" +#~ "Список назв служб PAM, відокремлених комами, для яких керування доступом " +#~ "на основі GPO засновано на параметрах захисту NetworkLogonRight і " +#~ "DenyNetworkLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +#~ "policy settings." +#~ msgstr "" +#~ "Список назв служб PAM, відокремлених комами, для яких керування доступом " +#~ "на основі GPO засновано на параметрах захисту BatchLogonRight і " +#~ "DenyBatchLogonRight." + +#~ msgid "" +#~ "A comma-separated list of PAM service names for which GPO-based access " +#~ "control is evaluated based on the ServiceLogonRight and " +#~ "DenyServiceLogonRight policy settings." +#~ msgstr "" +#~ "Список назв служб PAM, відокремлених комами, для яких керування доступом " +#~ "на основі GPO засновано на параметрах захисту ServiceLogonRight і " +#~ "DenyServiceLogonRight." + #~ msgid "" #~ "The KCM service is configured in the <quote>kcm</quote> section of the " #~ "sssd.conf file. Please note that currently, is it not sufficient to " diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po index 43e38940213..cca30a82fcb 100644 --- a/src/man/po/zh_CN.po +++ b/src/man/po/zh_CN.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.1.1\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" -"POT-Creation-Date: 2019-09-12 05:05+0200\n" +"POT-Creation-Date: 2019-11-30 22:23+0100\n" "PO-Revision-Date: 2014-12-15 12:16+0000\n" "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/" @@ -31,7 +31,7 @@ msgstr "" #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 -#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 msgid "SSSD Manual pages" msgstr "SSSD 手册页面" @@ -74,7 +74,7 @@ msgstr "" #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 -#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 msgid "DESCRIPTION" msgstr "" @@ -139,7 +139,7 @@ msgstr "sssd.conf" #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 -#: sssd-systemtap.5.xml:11 +#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" @@ -148,7 +148,7 @@ msgstr "5" #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 -#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" @@ -299,12 +299,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:133 sssd.conf.5.xml:605 sssd.conf.5.xml:902 -#: sssd.conf.5.xml:1675 sssd.conf.5.xml:1705 sssd-ldap.5.xml:1857 -#: sssd-ldap.5.xml:1955 sssd-ldap.5.xml:2017 sssd-ldap.5.xml:2594 -#: sssd-ldap.5.xml:2659 sssd-ipa.5.xml:326 sssd-ad.5.xml:227 sssd-ad.5.xml:341 -#: sssd-ad.5.xml:926 sssd-ad.5.xml:1059 sssd-krb5.5.xml:499 -#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +#: sssd.conf.5.xml:133 sssd.conf.5.xml:330 sssd.conf.5.xml:646 +#: sssd.conf.5.xml:943 sssd.conf.5.xml:1716 sssd.conf.5.xml:1746 +#: sssd-ldap.5.xml:910 sssd-ldap.5.xml:1008 sssd-ldap.5.xml:1070 +#: sssd-ldap.5.xml:1503 sssd-ldap.5.xml:1568 sssd-ipa.5.xml:326 +#: sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:1038 sssd-ad.5.xml:1171 +#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 msgid "Default: true" msgstr "" @@ -321,19 +321,23 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:146 sssd.conf.5.xml:602 sssd.conf.5.xml:784 -#: sssd.conf.5.xml:1608 sssd.conf.5.xml:3241 sssd-ldap.5.xml:746 -#: sssd-ldap.5.xml:1708 sssd-ldap.5.xml:1727 sssd-ldap.5.xml:1927 -#: sssd-ldap.5.xml:2353 sssd-ldap.5.xml:2683 sssd-ipa.5.xml:151 +#: sssd.conf.5.xml:146 sssd.conf.5.xml:643 sssd.conf.5.xml:825 +#: sssd.conf.5.xml:1649 sssd.conf.5.xml:3304 sssd-ldap.5.xml:305 +#: sssd-ldap.5.xml:761 sssd-ldap.5.xml:780 sssd-ldap.5.xml:980 +#: sssd-ldap.5.xml:1406 sssd-ldap.5.xml:1592 sssd-ipa.5.xml:151 #: sssd-ipa.5.xml:238 sssd-ipa.5.xml:574 sssd-krb5.5.xml:266 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 msgid "Default: false" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2391 -#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 -#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +#. type: Content of: outside any tag (error?) +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1444 +#: sssd-ldap.5.xml:1615 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 +#: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330 +#: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646 +#: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873 +#: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028 +#: include/autofs_attributes.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" @@ -356,8 +360,8 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:169 sssd.conf.5.xml:1439 sssd.conf.5.xml:3257 -#: sssd-ldap.5.xml:1579 include/ldap_id_mapping.xml:264 +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1480 sssd.conf.5.xml:3320 +#: sssd-ldap.5.xml:632 include/ldap_id_mapping.xml:264 msgid "Default: 10" msgstr "" @@ -372,7 +376,7 @@ msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:191 sssd.conf.5.xml:3346 +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3409 msgid "Section parameters" msgstr "" @@ -420,19 +424,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:231 sssd.conf.5.xml:676 +#: sssd.conf.5.xml:231 sssd.conf.5.xml:717 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:234 sssd.conf.5.xml:679 +#: sssd.conf.5.xml:234 sssd.conf.5.xml:720 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:239 sssd.conf.5.xml:684 +#: sssd.conf.5.xml:239 sssd.conf.5.xml:725 msgid "Default: 3" msgstr "默认: 3" @@ -452,7 +456,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:259 sssd.conf.5.xml:2789 +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2852 msgid "re_expression (string)" msgstr "" @@ -472,12 +476,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:276 sssd.conf.5.xml:2837 +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2900 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:279 sssd.conf.5.xml:2840 +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2903 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " @@ -485,39 +489,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:290 sssd.conf.5.xml:2851 +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2914 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:291 sssd.conf.5.xml:2852 +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2915 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:294 sssd.conf.5.xml:2855 +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2918 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:297 sssd.conf.5.xml:2858 +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2921 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:303 sssd.conf.5.xml:2864 +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2927 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:306 sssd.conf.5.xml:2867 +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2930 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:287 sssd.conf.5.xml:2848 +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2911 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" @@ -532,20 +536,31 @@ msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 -msgid "try_inotify (boolean)" +msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 msgid "" -"SSSD monitors the state of resolv.conf to identify when it needs to update " -"its internal DNS resolver. By default, we will attempt to use inotify for " -"this, and will fall back to polling resolv.conf every five seconds if " -"inotify cannot be used." +"Controls if SSSD should monitor the state of resolv.conf to identify when it " +"needs to update its internal DNS resolver." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:335 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:338 +msgid "" +"By default, SSSD will attempt to use inotify to monitor configuration files " +"changes and will fall back to polling every five seconds if inotify cannot " +"be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:333 +#: sssd.conf.5.xml:344 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " @@ -553,52 +568,52 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:339 +#: sssd.conf.5.xml:350 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:343 +#: sssd.conf.5.xml:354 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:350 +#: sssd.conf.5.xml:361 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:353 +#: sssd.conf.5.xml:364 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:357 +#: sssd.conf.5.xml:368 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:363 +#: sssd.conf.5.xml:374 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:370 +#: sssd.conf.5.xml:381 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:373 +#: sssd.conf.5.xml:384 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. <phrase condition=\"have_systemd\"> This option does not work " @@ -611,17 +626,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:391 +#: sssd.conf.5.xml:402 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:396 +#: sssd.conf.5.xml:407 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:399 +#: sssd.conf.5.xml:410 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " @@ -631,7 +646,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:409 +#: sssd.conf.5.xml:420 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " @@ -644,23 +659,23 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:424 sssd.conf.5.xml:1228 sssd-ldap.5.xml:717 -#: sssd-ldap.5.xml:1306 sssd-ldap.5.xml:1667 sssd-ldap.5.xml:1679 -#: sssd-ldap.5.xml:1771 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 -#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 -#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 -#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: sssd.conf.5.xml:435 sssd.conf.5.xml:1269 sssd-ldap.5.xml:720 +#: sssd-ldap.5.xml:732 sssd-ldap.5.xml:824 sssd-ad.5.xml:843 sssd-ad.5.xml:918 +#: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 +#: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 +#: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470 +#: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205 #: include/ldap_id_mapping.xml:216 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:429 +#: sssd.conf.5.xml:440 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:432 +#: sssd.conf.5.xml:443 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " @@ -670,7 +685,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:441 +#: sssd.conf.5.xml:452 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " @@ -679,22 +694,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:449 +#: sssd.conf.5.xml:460 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:454 +#: sssd.conf.5.xml:465 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:462 +#: sssd.conf.5.xml:473 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:464 +#: sssd.conf.5.xml:475 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " @@ -702,69 +717,88 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:472 +#: sssd.conf.5.xml:483 +msgid "soft_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:485 sssd.conf.5.xml:585 +msgid "(NSS Version) This option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:488 +msgid "" +"(OpenSSL Version) If a connection cannot be established to an OCSP responder " +"the OCSP check is skipped. This option should be used to allow " +"authentication when the system is offline and the OCSP responder cannot be " +"reached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:498 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:474 +#: sssd.conf.5.xml:500 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:478 +#: sssd.conf.5.xml:504 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:479 +#: sssd.conf.5.xml:505 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:480 +#: sssd.conf.5.xml:506 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:481 +#: sssd.conf.5.xml:507 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:484 +#: sssd.conf.5.xml:510 #, fuzzy #| msgid "Default: 3" msgid "Default: sha256" msgstr "默认: 3" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:486 +#: sssd.conf.5.xml:512 msgid "" "(NSS Version) This option is ignored, because NSS uses sha1 unconditionally." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:492 +#: sssd.conf.5.xml:518 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:494 +#: sssd.conf.5.xml:520 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:500 +#: sssd.conf.5.xml:526 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:502 +#: sssd.conf.5.xml:528 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " @@ -772,19 +806,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:508 +#: sssd.conf.5.xml:534 msgid "" "(NSS Version) This option must be used together with " "ocsp_default_responder_signing_cert." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:516 +#: sssd.conf.5.xml:542 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:518 +#: sssd.conf.5.xml:544 msgid "" "(NSS Version) The nickname of the cert to trust (expected) to sign the OCSP " "responses. The certificate with the given nickname must be available in the " @@ -792,24 +826,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:523 +#: sssd.conf.5.xml:549 msgid "This option must be used together with ocsp_default_responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:525 +#: sssd.conf.5.xml:551 msgid "" "(OpenSSL version) This option is currently ignored. All needed certificates " "must be available in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:533 +#: sssd.conf.5.xml:559 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:535 +#: sssd.conf.5.xml:561 msgid "" "(NSS Version) This option is ignored, please see <citerefentry> " "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </" @@ -818,7 +852,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:544 +#: sssd.conf.5.xml:570 msgid "" "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the given " "file during the verification of the certificate. The CRL must be given in " @@ -826,8 +860,22 @@ msgid "" "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:583 +msgid "soft_crl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 +msgid "" +"(OpenSSL Version) If a Certificate Revocation List (CRL) is expired ignore " +"the CRL checks for the related certificates. This option should be used to " +"allow authentication when the system is offline and the CRL cannot be " +"renewed." +msgstr "" + #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:457 +#: sssd.conf.5.xml:468 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder type=" @@ -835,68 +883,68 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:559 sssd.conf.5.xml:1424 sssd.conf.5.xml:1730 +#: sssd.conf.5.xml:600 sssd.conf.5.xml:1465 sssd.conf.5.xml:1793 msgid "This man page was generated for the NSS version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:562 sssd.conf.5.xml:1427 sssd.conf.5.xml:1733 +#: sssd.conf.5.xml:603 sssd.conf.5.xml:1468 sssd.conf.5.xml:1796 msgid "This man page was generated for the OpenSSL version." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:566 +#: sssd.conf.5.xml:607 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:569 +#: sssd.conf.5.xml:610 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:575 +#: sssd.conf.5.xml:616 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:578 +#: sssd.conf.5.xml:619 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:583 +#: sssd.conf.5.xml:624 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:588 +#: sssd.conf.5.xml:629 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:593 +#: sssd.conf.5.xml:634 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:596 +#: sssd.conf.5.xml:637 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:610 +#: sssd.conf.5.xml:651 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:613 +#: sssd.conf.5.xml:654 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " @@ -907,7 +955,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:625 +#: sssd.conf.5.xml:666 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input, for all " @@ -924,7 +972,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:650 sssd.conf.5.xml:1451 sssd.conf.5.xml:3307 +#: sssd.conf.5.xml:691 sssd.conf.5.xml:1492 sssd.conf.5.xml:3370 #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 msgid "Default: Not set" msgstr "" @@ -941,12 +989,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:661 +#: sssd.conf.5.xml:702 msgid "SERVICES SECTIONS" msgstr "服务部分" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:663 +#: sssd.conf.5.xml:704 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " @@ -955,22 +1003,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:670 +#: sssd.conf.5.xml:711 msgid "General service configuration options" msgstr "基本服务配置选项" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:672 +#: sssd.conf.5.xml:713 msgid "These options can be used to configure any service." msgstr "这些选项可被用于配置任何服务。" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:689 +#: sssd.conf.5.xml:730 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:692 +#: sssd.conf.5.xml:733 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " @@ -980,17 +1028,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:701 +#: sssd.conf.5.xml:742 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:706 +#: sssd.conf.5.xml:747 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:709 +#: sssd.conf.5.xml:750 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " @@ -1000,18 +1048,18 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:718 sssd.conf.5.xml:750 sssd.conf.5.xml:1033 -#: sssd.conf.5.xml:1294 sssd.conf.5.xml:1540 sssd-ldap.5.xml:1399 +#: sssd.conf.5.xml:759 sssd.conf.5.xml:791 sssd.conf.5.xml:1074 +#: sssd.conf.5.xml:1335 sssd.conf.5.xml:1581 sssd-ldap.5.xml:452 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:723 +#: sssd.conf.5.xml:764 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:726 +#: sssd.conf.5.xml:767 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. This " @@ -1019,24 +1067,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:733 +#: sssd.conf.5.xml:774 msgid "offline_timeout + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:736 +#: sssd.conf.5.xml:777 msgid "" "The random offset can increment up to 30 seconds. After each unsuccessful " "attempt to go online, the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:741 +#: sssd.conf.5.xml:782 msgid "new_interval = old_interval*2 + random_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:744 +#: sssd.conf.5.xml:785 msgid "" "Note that the maximum length of each interval is currently limited to one " "hour. If the calculated length of new_interval is greater than an hour, it " @@ -1044,12 +1092,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:755 +#: sssd.conf.5.xml:796 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:758 +#: sssd.conf.5.xml:799 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " @@ -1061,58 +1109,58 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:772 sssd.conf.5.xml:1046 sssd.conf.5.xml:1800 -#: sssd-ldap.5.xml:760 +#: sssd.conf.5.xml:813 sssd.conf.5.xml:1087 sssd.conf.5.xml:1863 +#: sssd-ldap.5.xml:319 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:777 +#: sssd.conf.5.xml:818 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:780 +#: sssd.conf.5.xml:821 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:792 +#: sssd.conf.5.xml:833 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:794 +#: sssd.conf.5.xml:835 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:799 +#: sssd.conf.5.xml:840 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:802 +#: sssd.conf.5.xml:843 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:806 +#: sssd.conf.5.xml:847 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:811 +#: sssd.conf.5.xml:852 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:814 +#: sssd.conf.5.xml:855 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " @@ -1120,7 +1168,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:820 +#: sssd.conf.5.xml:861 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " @@ -1130,7 +1178,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:830 +#: sssd.conf.5.xml:871 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " @@ -1139,17 +1187,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:838 sssd.conf.5.xml:1629 +#: sssd.conf.5.xml:879 sssd.conf.5.xml:1670 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:843 +#: sssd.conf.5.xml:884 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:846 +#: sssd.conf.5.xml:887 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " @@ -1157,17 +1205,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:852 sssd.conf.5.xml:1653 +#: sssd.conf.5.xml:893 sssd.conf.5.xml:1694 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:857 +#: sssd.conf.5.xml:898 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:860 +#: sssd.conf.5.xml:901 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " @@ -1175,17 +1223,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:866 +#: sssd.conf.5.xml:907 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:871 +#: sssd.conf.5.xml:912 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:874 +#: sssd.conf.5.xml:915 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " @@ -1194,7 +1242,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:882 +#: sssd.conf.5.xml:923 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " @@ -1203,41 +1251,41 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:890 +#: sssd.conf.5.xml:931 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:895 +#: sssd.conf.5.xml:936 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:898 +#: sssd.conf.5.xml:939 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:909 +#: sssd.conf.5.xml:950 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:912 +#: sssd.conf.5.xml:953 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:917 +#: sssd.conf.5.xml:958 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:923 +#: sssd.conf.5.xml:964 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" @@ -1245,23 +1293,23 @@ msgid "" msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:921 sssd.conf.5.xml:1361 sssd.conf.5.xml:1380 +#: sssd.conf.5.xml:962 sssd.conf.5.xml:1402 sssd.conf.5.xml:1421 #: sssd-krb5.5.xml:573 include/override_homedir.xml:59 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:927 +#: sssd.conf.5.xml:968 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:933 +#: sssd.conf.5.xml:974 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:936 +#: sssd.conf.5.xml:977 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " @@ -1269,47 +1317,47 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:942 +#: sssd.conf.5.xml:983 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:948 +#: sssd.conf.5.xml:989 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:951 +#: sssd.conf.5.xml:992 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:954 +#: sssd.conf.5.xml:995 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:958 +#: sssd.conf.5.xml:999 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:963 +#: sssd.conf.5.xml:1004 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:968 +#: sssd.conf.5.xml:1009 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:971 +#: sssd.conf.5.xml:1012 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " @@ -1317,112 +1365,112 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:978 +#: sssd.conf.5.xml:1019 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:981 +#: sssd.conf.5.xml:1022 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:985 +#: sssd.conf.5.xml:1026 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:990 +#: sssd.conf.5.xml:1031 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:993 +#: sssd.conf.5.xml:1034 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:998 +#: sssd.conf.5.xml:1039 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1001 +#: sssd.conf.5.xml:1042 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1005 +#: sssd.conf.5.xml:1046 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1010 +#: sssd.conf.5.xml:1051 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1013 +#: sssd.conf.5.xml:1054 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1019 +#: sssd.conf.5.xml:1060 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1026 sssd.conf.5.xml:1287 +#: sssd.conf.5.xml:1067 sssd.conf.5.xml:1328 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1029 sssd.conf.5.xml:1290 +#: sssd.conf.5.xml:1070 sssd.conf.5.xml:1331 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1038 +#: sssd.conf.5.xml:1079 msgid "memcache_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1041 +#: sssd.conf.5.xml:1082 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1049 +#: sssd.conf.5.xml:1090 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1055 +#: sssd.conf.5.xml:1096 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1063 sssd-ifp.5.xml:74 +#: sssd.conf.5.xml:1104 sssd-ifp.5.xml:74 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1066 +#: sssd.conf.5.xml:1107 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " @@ -1433,96 +1481,96 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1079 +#: sssd.conf.5.xml:1120 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1084 +#: sssd.conf.5.xml:1125 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1089 +#: sssd.conf.5.xml:1130 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1092 +#: sssd.conf.5.xml:1133 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <varlistentry><listitem><para> -#: sssd.conf.5.xml:1097 include/override_homedir.xml:56 +#: sssd.conf.5.xml:1138 include/override_homedir.xml:56 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1100 +#: sssd.conf.5.xml:1141 msgid "" "Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " "domain)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1108 +#: sssd.conf.5.xml:1149 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1110 +#: sssd.conf.5.xml:1151 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1115 +#: sssd.conf.5.xml:1156 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1118 +#: sssd.conf.5.xml:1159 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1123 sssd.conf.5.xml:1136 +#: sssd.conf.5.xml:1164 sssd.conf.5.xml:1177 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1129 +#: sssd.conf.5.xml:1170 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1132 +#: sssd.conf.5.xml:1173 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1142 +#: sssd.conf.5.xml:1183 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1145 +#: sssd.conf.5.xml:1186 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1150 +#: sssd.conf.5.xml:1191 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " @@ -1530,59 +1578,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1156 sssd.conf.5.xml:1254 +#: sssd.conf.5.xml:1197 sssd.conf.5.xml:1295 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1162 +#: sssd.conf.5.xml:1203 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1165 +#: sssd.conf.5.xml:1206 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1170 +#: sssd.conf.5.xml:1211 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1173 +#: sssd.conf.5.xml:1214 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1176 +#: sssd.conf.5.xml:1217 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1180 +#: sssd.conf.5.xml:1221 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1183 +#: sssd.conf.5.xml:1224 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1187 sssd.8.xml:63 +#: sssd.conf.5.xml:1228 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1193 +#: sssd.conf.5.xml:1234 msgid "pam_response_filter (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1196 +#: sssd.conf.5.xml:1237 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " @@ -1591,61 +1639,61 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1204 +#: sssd.conf.5.xml:1245 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1211 +#: sssd.conf.5.xml:1252 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1212 +#: sssd.conf.5.xml:1253 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1215 +#: sssd.conf.5.xml:1256 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1216 +#: sssd.conf.5.xml:1257 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1220 +#: sssd.conf.5.xml:1261 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1221 +#: sssd.conf.5.xml:1262 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1209 +#: sssd.conf.5.xml:1250 msgid "" "Currently the following filters are supported: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1231 +#: sssd.conf.5.xml:1272 msgid "Example: ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1237 +#: sssd.conf.5.xml:1278 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1240 +#: sssd.conf.5.xml:1281 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " @@ -1653,7 +1701,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1246 +#: sssd.conf.5.xml:1287 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" @@ -1662,17 +1710,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1260 +#: sssd.conf.5.xml:1301 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1263 sssd.conf.5.xml:2270 +#: sssd.conf.5.xml:1304 sssd.conf.5.xml:2333 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1266 +#: sssd.conf.5.xml:1307 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -1680,31 +1728,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1272 sssd.conf.5.xml:2273 +#: sssd.conf.5.xml:1313 sssd.conf.5.xml:2336 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1277 +#: sssd.conf.5.xml:1318 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1282 sssd.conf.5.xml:3103 sssd.8.xml:79 +#: sssd.conf.5.xml:1323 sssd.conf.5.xml:3166 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1299 +#: sssd.conf.5.xml:1340 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1302 +#: sssd.conf.5.xml:1343 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " @@ -1714,75 +1762,75 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1312 +#: sssd.conf.5.xml:1353 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1316 +#: sssd.conf.5.xml:1357 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1364 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1326 +#: sssd.conf.5.xml:1367 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1330 +#: sssd.conf.5.xml:1371 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1334 +#: sssd.conf.5.xml:1375 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1338 +#: sssd.conf.5.xml:1379 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1342 sssd.conf.5.xml:1367 sssd.conf.5.xml:1386 -#: sssd.conf.5.xml:1573 sssd.conf.5.xml:2059 sssd.conf.5.xml:3032 -#: sssd-ldap.5.xml:1986 +#: sssd.conf.5.xml:1383 sssd.conf.5.xml:1408 sssd.conf.5.xml:1427 +#: sssd.conf.5.xml:1614 sssd.conf.5.xml:2122 sssd.conf.5.xml:3095 +#: sssd-ldap.5.xml:1039 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1347 +#: sssd.conf.5.xml:1388 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1350 +#: sssd.conf.5.xml:1391 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1355 +#: sssd.conf.5.xml:1396 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1363 +#: sssd.conf.5.xml:1404 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" @@ -1790,19 +1838,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1372 +#: sssd.conf.5.xml:1413 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1375 +#: sssd.conf.5.xml:1416 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1382 +#: sssd.conf.5.xml:1423 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" @@ -1810,12 +1858,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1391 +#: sssd.conf.5.xml:1432 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1394 +#: sssd.conf.5.xml:1435 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " @@ -1823,77 +1871,77 @@ msgid "" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1400 sssd-ldap.5.xml:1501 sssd-ldap.5.xml:1522 -#: sssd-ldap.5.xml:2059 sssd-ad.5.xml:435 sssd-ad.5.xml:453 +#: sssd.conf.5.xml:1441 sssd-ldap.5.xml:554 sssd-ldap.5.xml:575 +#: sssd-ldap.5.xml:1112 sssd-ad.5.xml:486 sssd-ad.5.xml:504 #: include/ldap_id_mapping.xml:244 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1405 +#: sssd.conf.5.xml:1446 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1408 +#: sssd.conf.5.xml:1449 msgid "" "The path to the certificate database which contain the PKCS#11 modules to " "access the Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1412 sssd.conf.5.xml:1718 sssd.conf.5.xml:3543 +#: sssd.conf.5.xml:1453 sssd.conf.5.xml:1781 sssd.conf.5.xml:3606 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1414 sssd.conf.5.xml:1720 +#: sssd.conf.5.xml:1455 sssd.conf.5.xml:1783 msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1417 sssd.conf.5.xml:1723 +#: sssd.conf.5.xml:1458 sssd.conf.5.xml:1786 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " "trusted CA certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1432 +#: sssd.conf.5.xml:1473 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1435 +#: sssd.conf.5.xml:1476 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1444 +#: sssd.conf.5.xml:1485 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1447 +#: sssd.conf.5.xml:1488 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1456 +#: sssd.conf.5.xml:1497 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1459 +#: sssd.conf.5.xml:1500 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1474 +#: sssd.conf.5.xml:1515 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" @@ -1901,7 +1949,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1463 +#: sssd.conf.5.xml:1504 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " @@ -1913,63 +1961,63 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1478 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 -#: sssd-ad.5.xml:692 sssd-ad.5.xml:758 +#: sssd.conf.5.xml:1519 sssd-ad.5.xml:567 sssd-ad.5.xml:676 sssd-ad.5.xml:734 +#: sssd-ad.5.xml:792 sssd-ad.5.xml:870 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1483 sssd-ad.5.xml:508 +#: sssd.conf.5.xml:1524 sssd-ad.5.xml:571 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1488 sssd-ad.5.xml:513 +#: sssd.conf.5.xml:1529 sssd-ad.5.xml:576 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1493 sssd-ad.5.xml:518 +#: sssd.conf.5.xml:1534 sssd-ad.5.xml:581 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1498 sssd-ad.5.xml:533 +#: sssd.conf.5.xml:1539 sssd-ad.5.xml:596 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1503 sssd-ad.5.xml:528 +#: sssd.conf.5.xml:1544 sssd-ad.5.xml:591 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1508 sssd-ad.5.xml:538 +#: sssd.conf.5.xml:1549 sssd-ad.5.xml:601 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1513 sssd-ad.5.xml:767 +#: sssd.conf.5.xml:1554 sssd-ad.5.xml:879 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1518 sssd-ad.5.xml:772 +#: sssd.conf.5.xml:1559 sssd-ad.5.xml:884 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1523 +#: sssd.conf.5.xml:1564 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1531 +#: sssd.conf.5.xml:1572 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1534 +#: sssd.conf.5.xml:1575 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " @@ -1977,12 +2025,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1545 +#: sssd.conf.5.xml:1586 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1548 +#: sssd.conf.5.xml:1589 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " @@ -1993,7 +2041,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1561 +#: sssd.conf.5.xml:1602 #, no-wrap msgid "" "p11_uri = slot-description=My%20Smartcar%20Reader\n" @@ -2001,7 +2049,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:1565 +#: sssd.conf.5.xml:1606 #, no-wrap msgid "" "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n" @@ -2009,7 +2057,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1559 +#: sssd.conf.5.xml:1600 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " @@ -2018,12 +2066,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1581 +#: sssd.conf.5.xml:1622 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1583 +#: sssd.conf.5.xml:1624 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" @@ -2034,24 +2082,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1600 +#: sssd.conf.5.xml:1641 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1603 +#: sssd.conf.5.xml:1644 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1615 +#: sssd.conf.5.xml:1656 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1618 +#: sssd.conf.5.xml:1659 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " @@ -2061,22 +2109,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1637 +#: sssd.conf.5.xml:1678 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1639 +#: sssd.conf.5.xml:1680 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1643 +#: sssd.conf.5.xml:1684 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1646 +#: sssd.conf.5.xml:1687 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " @@ -2084,51 +2132,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1662 +#: sssd.conf.5.xml:1703 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1664 +#: sssd.conf.5.xml:1705 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1668 +#: sssd.conf.5.xml:1709 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1671 +#: sssd.conf.5.xml:1712 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1680 +#: sssd.conf.5.xml:1721 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1683 +#: sssd.conf.5.xml:1724 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1687 +#: sssd.conf.5.xml:1728 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1692 +#: sssd.conf.5.xml:1733 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1695 +#: sssd.conf.5.xml:1736 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " @@ -2137,24 +2185,51 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1710 +#: sssd.conf.5.xml:1751 +msgid "ssh_use_certificate_matching_rules (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1754 +msgid "" +"By default the ssh responder will use all available certificate matching " +"rules to filter the certificates so that ssh keys are only derived from the " +"matching ones. With this option the used rules can be restricted with a " +"comma separated list of mapping and matching rule names. All other rules " +"will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "" +"If a non-existing rule name is given all rules will be ignored and all " +"available certificates will be used to derive ssh keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1768 +msgid "Default: not set, all found rules are used" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1773 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1713 +#: sssd.conf.5.xml:1776 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1741 +#: sssd.conf.5.xml:1804 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1743 +#: sssd.conf.5.xml:1806 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " @@ -2165,7 +2240,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1752 +#: sssd.conf.5.xml:1815 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " @@ -2176,24 +2251,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:1760 +#: sssd.conf.5.xml:1823 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1766 +#: sssd.conf.5.xml:1829 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1770 sssd-ifp.5.xml:50 +#: sssd.conf.5.xml:1833 sssd-ifp.5.xml:50 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1773 +#: sssd.conf.5.xml:1836 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " @@ -2201,12 +2276,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1779 +#: sssd.conf.5.xml:1842 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1783 +#: sssd.conf.5.xml:1846 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " @@ -2215,24 +2290,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1792 +#: sssd.conf.5.xml:1855 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1795 +#: sssd.conf.5.xml:1858 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:1808 +#: sssd.conf.5.xml:1871 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1810 +#: sssd.conf.5.xml:1873 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" @@ -2242,66 +2317,66 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:1823 +#: sssd.conf.5.xml:1886 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1827 sssd-session-recording.5.xml:64 +#: sssd.conf.5.xml:1890 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1834 sssd-session-recording.5.xml:71 +#: sssd.conf.5.xml:1897 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1837 sssd-session-recording.5.xml:74 +#: sssd.conf.5.xml:1900 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1842 sssd-session-recording.5.xml:79 +#: sssd.conf.5.xml:1905 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1845 sssd-session-recording.5.xml:82 +#: sssd.conf.5.xml:1908 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1854 sssd-session-recording.5.xml:91 +#: sssd.conf.5.xml:1917 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1857 sssd-session-recording.5.xml:94 +#: sssd.conf.5.xml:1920 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1830 sssd-session-recording.5.xml:67 +#: sssd.conf.5.xml:1893 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1864 sssd-session-recording.5.xml:101 +#: sssd.conf.5.xml:1927 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1869 sssd-session-recording.5.xml:106 +#: sssd.conf.5.xml:1932 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1872 sssd-session-recording.5.xml:109 +#: sssd.conf.5.xml:1935 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " @@ -2309,17 +2384,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1878 sssd-session-recording.5.xml:115 +#: sssd.conf.5.xml:1941 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1883 sssd-session-recording.5.xml:120 +#: sssd.conf.5.xml:1946 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1886 sssd-session-recording.5.xml:123 +#: sssd.conf.5.xml:1949 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " @@ -2327,7 +2402,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1892 sssd-session-recording.5.xml:129 +#: sssd.conf.5.xml:1955 sssd-session-recording.5.xml:129 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " @@ -2335,22 +2410,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1899 sssd-session-recording.5.xml:136 +#: sssd.conf.5.xml:1962 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:1909 +#: sssd.conf.5.xml:1972 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1916 +#: sssd.conf.5.xml:1979 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1919 +#: sssd.conf.5.xml:1982 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " @@ -2359,14 +2434,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1927 +#: sssd.conf.5.xml:1990 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1931 +#: sssd.conf.5.xml:1994 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " @@ -2375,38 +2450,38 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1939 +#: sssd.conf.5.xml:2002 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1943 +#: sssd.conf.5.xml:2006 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1947 +#: sssd.conf.5.xml:2010 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1953 +#: sssd.conf.5.xml:2016 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1956 +#: sssd.conf.5.xml:2019 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1961 +#: sssd.conf.5.xml:2024 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" @@ -2415,24 +2490,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1968 +#: sssd.conf.5.xml:2031 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1972 +#: sssd.conf.5.xml:2035 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:1978 +#: sssd.conf.5.xml:2041 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1981 +#: sssd.conf.5.xml:2044 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " @@ -2441,29 +2516,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1989 +#: sssd.conf.5.xml:2052 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1992 +#: sssd.conf.5.xml:2055 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1995 sssd.conf.5.xml:2225 sssd.conf.5.xml:2400 +#: sssd.conf.5.xml:2058 sssd.conf.5.xml:2288 sssd.conf.5.xml:2463 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:1998 +#: sssd.conf.5.xml:2061 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2003 +#: sssd.conf.5.xml:2066 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " @@ -2477,14 +2552,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2018 +#: sssd.conf.5.xml:2081 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2023 +#: sssd.conf.5.xml:2086 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " @@ -2493,39 +2568,39 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2031 +#: sssd.conf.5.xml:2094 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2039 +#: sssd.conf.5.xml:2102 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2046 +#: sssd.conf.5.xml:2109 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2047 +#: sssd.conf.5.xml:2110 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2050 +#: sssd.conf.5.xml:2113 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2051 +#: sssd.conf.5.xml:2114 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2042 +#: sssd.conf.5.xml:2105 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " @@ -2534,19 +2609,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2065 +#: sssd.conf.5.xml:2128 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2068 +#: sssd.conf.5.xml:2131 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2072 +#: sssd.conf.5.xml:2135 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " @@ -2557,115 +2632,115 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2085 +#: sssd.conf.5.xml:2148 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2091 +#: sssd.conf.5.xml:2154 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2094 +#: sssd.conf.5.xml:2157 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2098 sssd.conf.5.xml:2111 sssd.conf.5.xml:2124 -#: sssd.conf.5.xml:2137 sssd.conf.5.xml:2150 sssd.conf.5.xml:2164 -#: sssd.conf.5.xml:2178 +#: sssd.conf.5.xml:2161 sssd.conf.5.xml:2174 sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2200 sssd.conf.5.xml:2213 sssd.conf.5.xml:2227 +#: sssd.conf.5.xml:2241 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2104 +#: sssd.conf.5.xml:2167 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2107 +#: sssd.conf.5.xml:2170 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2117 +#: sssd.conf.5.xml:2180 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2120 +#: sssd.conf.5.xml:2183 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2130 +#: sssd.conf.5.xml:2193 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2133 +#: sssd.conf.5.xml:2196 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2143 +#: sssd.conf.5.xml:2206 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2146 +#: sssd.conf.5.xml:2209 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2156 +#: sssd.conf.5.xml:2219 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2159 +#: sssd.conf.5.xml:2222 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2170 +#: sssd.conf.5.xml:2233 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2173 +#: sssd.conf.5.xml:2236 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2184 +#: sssd.conf.5.xml:2247 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2187 +#: sssd.conf.5.xml:2250 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2192 +#: sssd.conf.5.xml:2255 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " @@ -2674,42 +2749,42 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2200 +#: sssd.conf.5.xml:2263 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2204 +#: sssd.conf.5.xml:2267 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2208 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254 +#: sssd.conf.5.xml:2271 sssd-ldap.5.xml:343 sssd-ipa.5.xml:254 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2214 +#: sssd.conf.5.xml:2277 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2217 +#: sssd.conf.5.xml:2280 msgid "Determines if user credentials are also cached in the local LDB cache" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2221 +#: sssd.conf.5.xml:2284 msgid "User credentials are stored in a SHA512 hash, not in plaintext" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2231 +#: sssd.conf.5.xml:2294 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2234 +#: sssd.conf.5.xml:2297 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " @@ -2717,24 +2792,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2241 +#: sssd.conf.5.xml:2304 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2246 sssd-ldap.5.xml:1443 +#: sssd.conf.5.xml:2309 sssd-ldap.5.xml:496 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2252 +#: sssd.conf.5.xml:2315 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2255 +#: sssd.conf.5.xml:2318 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " @@ -2743,17 +2818,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2262 +#: sssd.conf.5.xml:2325 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2267 +#: sssd.conf.5.xml:2330 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2278 +#: sssd.conf.5.xml:2341 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " @@ -2762,34 +2837,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2285 +#: sssd.conf.5.xml:2348 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2291 +#: sssd.conf.5.xml:2354 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2294 +#: sssd.conf.5.xml:2357 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2301 +#: sssd.conf.5.xml:2364 msgid "" "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2305 +#: sssd.conf.5.xml:2368 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2797,7 +2872,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2313 +#: sssd.conf.5.xml:2376 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " @@ -2805,8 +2880,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2321 sssd.conf.5.xml:2426 sssd.conf.5.xml:2481 -#: sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2384 sssd.conf.5.xml:2489 sssd.conf.5.xml:2544 +#: sssd.conf.5.xml:2607 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " @@ -2815,8 +2890,8 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2330 sssd.conf.5.xml:2435 sssd.conf.5.xml:2490 -#: sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2393 sssd.conf.5.xml:2498 sssd.conf.5.xml:2553 +#: sssd.conf.5.xml:2616 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2824,19 +2899,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2341 +#: sssd.conf.5.xml:2404 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2344 +#: sssd.conf.5.xml:2407 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2349 +#: sssd.conf.5.xml:2412 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " @@ -2845,7 +2920,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2357 +#: sssd.conf.5.xml:2420 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " @@ -2853,22 +2928,22 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2364 +#: sssd.conf.5.xml:2427 msgid "Default: FALSE (TRUE if default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2370 +#: sssd.conf.5.xml:2433 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2373 +#: sssd.conf.5.xml:2436 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2376 +#: sssd.conf.5.xml:2439 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " @@ -2880,7 +2955,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2394 +#: sssd.conf.5.xml:2457 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " @@ -2888,19 +2963,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2405 +#: sssd.conf.5.xml:2468 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2408 +#: sssd.conf.5.xml:2471 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2412 sssd.conf.5.xml:2474 +#: sssd.conf.5.xml:2475 sssd.conf.5.xml:2537 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2908,7 +2983,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2419 +#: sssd.conf.5.xml:2482 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -2916,35 +2991,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2443 +#: sssd.conf.5.xml:2506 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2446 +#: sssd.conf.5.xml:2509 msgid "<quote>local</quote>: SSSD internal provider for local users" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2450 +#: sssd.conf.5.xml:2513 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2453 +#: sssd.conf.5.xml:2516 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2459 +#: sssd.conf.5.xml:2522 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2462 +#: sssd.conf.5.xml:2525 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " @@ -2952,19 +3027,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2468 +#: sssd.conf.5.xml:2531 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2471 +#: sssd.conf.5.xml:2534 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2498 +#: sssd.conf.5.xml:2561 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" @@ -2973,7 +3048,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2505 +#: sssd.conf.5.xml:2568 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" @@ -2981,29 +3056,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2512 +#: sssd.conf.5.xml:2575 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2515 +#: sssd.conf.5.xml:2578 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2520 +#: sssd.conf.5.xml:2583 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2523 +#: sssd.conf.5.xml:2586 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2528 +#: sssd.conf.5.xml:2591 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" @@ -3011,7 +3086,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2536 +#: sssd.conf.5.xml:2599 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3019,35 +3094,35 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2561 +#: sssd.conf.5.xml:2624 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2628 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2568 +#: sssd.conf.5.xml:2631 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2575 +#: sssd.conf.5.xml:2638 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2578 +#: sssd.conf.5.xml:2641 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2582 +#: sssd.conf.5.xml:2645 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3055,32 +3130,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2590 +#: sssd.conf.5.xml:2653 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2594 +#: sssd.conf.5.xml:2657 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2598 +#: sssd.conf.5.xml:2661 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2601 sssd.conf.5.xml:2687 sssd.conf.5.xml:2757 -#: sssd.conf.5.xml:2782 +#: sssd.conf.5.xml:2664 sssd.conf.5.xml:2750 sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2845 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2605 +#: sssd.conf.5.xml:2668 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " @@ -3091,7 +3166,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2620 +#: sssd.conf.5.xml:2683 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " @@ -3100,12 +3175,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2630 +#: sssd.conf.5.xml:2693 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2633 +#: sssd.conf.5.xml:2696 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " @@ -3113,7 +3188,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2639 +#: sssd.conf.5.xml:2702 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3121,31 +3196,31 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2647 +#: sssd.conf.5.xml:2710 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2650 +#: sssd.conf.5.xml:2713 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2656 +#: sssd.conf.5.xml:2719 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2659 +#: sssd.conf.5.xml:2722 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2665 +#: sssd.conf.5.xml:2728 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3153,7 +3228,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2674 +#: sssd.conf.5.xml:2737 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " @@ -3162,17 +3237,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2683 +#: sssd.conf.5.xml:2746 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2693 +#: sssd.conf.5.xml:2756 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2696 +#: sssd.conf.5.xml:2759 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " @@ -3180,43 +3255,43 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2703 +#: sssd.conf.5.xml:2766 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2707 +#: sssd.conf.5.xml:2770 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2711 +#: sssd.conf.5.xml:2774 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2715 +#: sssd.conf.5.xml:2778 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2723 +#: sssd.conf.5.xml:2786 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2726 +#: sssd.conf.5.xml:2789 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2730 +#: sssd.conf.5.xml:2793 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3224,7 +3299,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2737 +#: sssd.conf.5.xml:2800 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3232,7 +3307,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2745 +#: sssd.conf.5.xml:2808 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" @@ -3240,24 +3315,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2754 +#: sssd.conf.5.xml:2817 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2764 +#: sssd.conf.5.xml:2827 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2767 +#: sssd.conf.5.xml:2830 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2771 +#: sssd.conf.5.xml:2834 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" @@ -3265,12 +3340,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2779 +#: sssd.conf.5.xml:2842 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2792 +#: sssd.conf.5.xml:2855 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " @@ -3280,7 +3355,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2801 +#: sssd.conf.5.xml:2864 msgid "" "Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" @@ -3289,29 +3364,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2806 +#: sssd.conf.5.xml:2869 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2809 +#: sssd.conf.5.xml:2872 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:2812 +#: sssd.conf.5.xml:2875 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2815 +#: sssd.conf.5.xml:2878 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2820 +#: sssd.conf.5.xml:2883 msgid "" "Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " "which translates to \"the name is everything up to the <quote>@</quote> " @@ -3319,7 +3394,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2826 +#: sssd.conf.5.xml:2889 msgid "" "NOTE: Some Active Directory groups, typically those used for MS Exchange " "contain an <quote>@</quote> sign in the name, which clashes with the default " @@ -3329,59 +3404,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2877 +#: sssd.conf.5.xml:2940 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2883 +#: sssd.conf.5.xml:2946 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2886 +#: sssd.conf.5.xml:2949 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2890 +#: sssd.conf.5.xml:2953 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2893 +#: sssd.conf.5.xml:2956 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2896 +#: sssd.conf.5.xml:2959 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2899 +#: sssd.conf.5.xml:2962 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2902 +#: sssd.conf.5.xml:2965 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2905 +#: sssd.conf.5.xml:2968 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2911 +#: sssd.conf.5.xml:2974 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2914 +#: sssd.conf.5.xml:2977 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " @@ -3390,77 +3465,77 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2921 +#: sssd.conf.5.xml:2984 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2926 sssd-ldap.5.xml:1383 sssd-ldap.5.xml:1425 +#: sssd.conf.5.xml:2989 sssd-ldap.5.xml:436 sssd-ldap.5.xml:478 #: sssd-krb5.5.xml:248 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2932 +#: sssd.conf.5.xml:2995 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2935 +#: sssd.conf.5.xml:2998 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2939 +#: sssd.conf.5.xml:3002 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2945 +#: sssd.conf.5.xml:3008 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2948 +#: sssd.conf.5.xml:3011 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2954 +#: sssd.conf.5.xml:3017 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2965 +#: sssd.conf.5.xml:3028 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2968 +#: sssd.conf.5.xml:3031 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2974 +#: sssd.conf.5.xml:3037 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2976 +#: sssd.conf.5.xml:3039 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:2980 +#: sssd.conf.5.xml:3043 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2983 +#: sssd.conf.5.xml:3046 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " @@ -3468,7 +3543,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2957 +#: sssd.conf.5.xml:3020 msgid "" "Treat user and group names as case sensitive. <phrase condition=" "\"enable_local_provider\"> At the moment, this option is not supported in " @@ -3477,17 +3552,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:2995 +#: sssd.conf.5.xml:3058 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3001 +#: sssd.conf.5.xml:3064 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3004 +#: sssd.conf.5.xml:3067 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " @@ -3495,34 +3570,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3010 +#: sssd.conf.5.xml:3073 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3013 +#: sssd.conf.5.xml:3076 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3016 sssd-ldap.5.xml:1107 +#: sssd.conf.5.xml:3079 sssd-ldap.5.xml:383 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3019 +#: sssd.conf.5.xml:3082 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3022 +#: sssd.conf.5.xml:3085 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3028 +#: sssd.conf.5.xml:3091 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" @@ -3530,32 +3605,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3026 sssd-secrets.5.xml:448 +#: sssd.conf.5.xml:3089 sssd-secrets.5.xml:448 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3035 +#: sssd.conf.5.xml:3098 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3042 +#: sssd.conf.5.xml:3105 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3053 +#: sssd.conf.5.xml:3116 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3054 +#: sssd.conf.5.xml:3117 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3045 +#: sssd.conf.5.xml:3108 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " @@ -3565,34 +3640,34 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3059 +#: sssd.conf.5.xml:3122 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3063 +#: sssd.conf.5.xml:3126 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3068 +#: sssd.conf.5.xml:3131 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3071 +#: sssd.conf.5.xml:3134 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3077 +#: sssd.conf.5.xml:3140 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3080 +#: sssd.conf.5.xml:3143 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " @@ -3601,19 +3676,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3088 +#: sssd.conf.5.xml:3151 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3093 +#: sssd.conf.5.xml:3156 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3097 +#: sssd.conf.5.xml:3160 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " @@ -3621,24 +3696,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3108 +#: sssd.conf.5.xml:3171 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3114 +#: sssd.conf.5.xml:3177 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3117 +#: sssd.conf.5.xml:3180 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3121 +#: sssd.conf.5.xml:3184 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " @@ -3647,24 +3722,24 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3130 +#: sssd.conf.5.xml:3193 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3133 +#: sssd.conf.5.xml:3196 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3139 +#: sssd.conf.5.xml:3202 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3142 +#: sssd.conf.5.xml:3205 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " @@ -3674,14 +3749,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3155 +#: sssd.conf.5.xml:3218 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3162 +#: sssd.conf.5.xml:3225 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " @@ -3689,21 +3764,21 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3111 +#: sssd.conf.5.xml:3174 msgid "" "This option takes any of three available values: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3174 +#: sssd.conf.5.xml:3237 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3182 +#: sssd.conf.5.xml:3245 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" @@ -3711,7 +3786,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd.conf.5.xml:3188 +#: sssd.conf.5.xml:3251 #, no-wrap msgid "" "[domain/forest.domain]\n" @@ -3720,7 +3795,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3179 +#: sssd.conf.5.xml:3242 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " @@ -3729,7 +3804,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:1911 +#: sssd.conf.5.xml:1974 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" @@ -3737,29 +3812,29 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3203 +#: sssd.conf.5.xml:3266 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3206 +#: sssd.conf.5.xml:3269 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3209 +#: sssd.conf.5.xml:3272 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3217 +#: sssd.conf.5.xml:3280 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3220 +#: sssd.conf.5.xml:3283 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " @@ -3767,12 +3842,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3230 +#: sssd.conf.5.xml:3293 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3233 +#: sssd.conf.5.xml:3296 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " @@ -3781,12 +3856,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3247 +#: sssd.conf.5.xml:3310 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3250 +#: sssd.conf.5.xml:3313 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " @@ -3794,19 +3869,19 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3199 +#: sssd.conf.5.xml:3262 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" id=" "\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3266 +#: sssd.conf.5.xml:3329 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3268 +#: sssd.conf.5.xml:3331 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " @@ -3823,7 +3898,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3288 +#: sssd.conf.5.xml:3351 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " @@ -3831,17 +3906,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sssd.conf.5.xml:3294 +#: sssd.conf.5.xml:3357 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3296 +#: sssd.conf.5.xml:3359 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3299 +#: sssd.conf.5.xml:3362 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " @@ -3850,7 +3925,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3313 +#: sssd.conf.5.xml:3376 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " @@ -3860,7 +3935,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> -#: sssd.conf.5.xml:3321 +#: sssd.conf.5.xml:3384 #, no-wrap msgid "" "[sssd]\n" @@ -3880,12 +3955,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd.conf.5.xml:3339 +#: sssd.conf.5.xml:3402 msgid "The local domain section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd.conf.5.xml:3341 +#: sssd.conf.5.xml:3404 msgid "" "This section contains settings for domain that stores users and groups in " "SSSD native database, that is, a domain that uses " @@ -3893,73 +3968,73 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3348 +#: sssd.conf.5.xml:3411 msgid "default_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3351 +#: sssd.conf.5.xml:3414 msgid "The default shell for users created with SSSD userspace tools." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3355 +#: sssd.conf.5.xml:3418 msgid "Default: <filename>/bin/bash</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3360 +#: sssd.conf.5.xml:3423 msgid "base_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3363 +#: sssd.conf.5.xml:3426 msgid "" "The tools append the login name to <replaceable>base_directory</replaceable> " "and use that as the home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3368 +#: sssd.conf.5.xml:3431 msgid "Default: <filename>/home</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3373 +#: sssd.conf.5.xml:3436 msgid "create_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3376 +#: sssd.conf.5.xml:3439 msgid "" "Indicate if a home directory should be created by default for new users. " "Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3380 sssd.conf.5.xml:3392 +#: sssd.conf.5.xml:3443 sssd.conf.5.xml:3455 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3385 +#: sssd.conf.5.xml:3448 msgid "remove_homedir (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3388 +#: sssd.conf.5.xml:3451 msgid "" "Indicate if a home directory should be removed by default for deleted " "users. Can be overridden on command line." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3397 +#: sssd.conf.5.xml:3460 msgid "homedir_umask (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3400 +#: sssd.conf.5.xml:3463 msgid "" "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " @@ -3967,17 +4042,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3408 +#: sssd.conf.5.xml:3471 msgid "Default: 077" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3413 +#: sssd.conf.5.xml:3476 msgid "skel_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3416 +#: sssd.conf.5.xml:3479 msgid "" "The skeleton directory, which contains files and directories to be copied in " "the user's home directory, when the home directory is created by " @@ -3986,17 +4061,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3426 +#: sssd.conf.5.xml:3489 msgid "Default: <filename>/etc/skel</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3431 +#: sssd.conf.5.xml:3494 msgid "mail_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3434 +#: sssd.conf.5.xml:3497 msgid "" "The mail spool directory. This is needed to manipulate the mailbox when its " "corresponding user account is modified or deleted. If not specified, a " @@ -4004,17 +4079,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3441 +#: sssd.conf.5.xml:3504 msgid "Default: <filename>/var/mail</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3446 +#: sssd.conf.5.xml:3509 msgid "userdel_cmd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3449 +#: sssd.conf.5.xml:3512 msgid "" "The command that is run after a user is removed. The command us passed the " "username of the user being removed as the first and only parameter. The " @@ -4022,17 +4097,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3455 +#: sssd.conf.5.xml:3518 msgid "Default: None, no command is run" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3465 +#: sssd.conf.5.xml:3528 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3467 +#: sssd.conf.5.xml:3530 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" @@ -4043,69 +4118,69 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3474 +#: sssd.conf.5.xml:3537 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3475 +#: sssd.conf.5.xml:3538 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3476 +#: sssd.conf.5.xml:3539 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3477 +#: sssd.conf.5.xml:3540 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3478 +#: sssd.conf.5.xml:3541 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3479 +#: sssd.conf.5.xml:3542 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3480 +#: sssd.conf.5.xml:3543 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3481 +#: sssd.conf.5.xml:3544 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3482 +#: sssd.conf.5.xml:3545 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3483 sssd-ipa.5.xml:797 +#: sssd.conf.5.xml:3546 sssd-ipa.5.xml:797 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3485 +#: sssd.conf.5.xml:3548 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3491 +#: sssd.conf.5.xml:3554 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3493 +#: sssd.conf.5.xml:3556 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " @@ -4118,7 +4193,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3507 +#: sssd.conf.5.xml:3570 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " @@ -4126,7 +4201,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3516 +#: sssd.conf.5.xml:3579 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" @@ -4135,55 +4210,55 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3523 +#: sssd.conf.5.xml:3586 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3526 +#: sssd.conf.5.xml:3589 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3530 +#: sssd.conf.5.xml:3593 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3537 +#: sssd.conf.5.xml:3600 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3540 +#: sssd.conf.5.xml:3603 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3546 +#: sssd.conf.5.xml:3609 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3552 +#: sssd.conf.5.xml:3615 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3561 +#: sssd.conf.5.xml:3624 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3564 +#: sssd.conf.5.xml:3627 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " @@ -4192,17 +4267,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3571 +#: sssd.conf.5.xml:3634 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3576 +#: sssd.conf.5.xml:3639 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3579 +#: sssd.conf.5.xml:3642 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " @@ -4210,26 +4285,26 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3585 +#: sssd.conf.5.xml:3648 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3591 +#: sssd.conf.5.xml:3654 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3597 +#: sssd.conf.5.xml:3660 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3603 +#: sssd.conf.5.xml:3666 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " @@ -4238,17 +4313,17 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd.conf.5.xml:3612 +#: sssd.conf.5.xml:3675 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3620 +#: sssd.conf.5.xml:3683 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3622 +#: sssd.conf.5.xml:3685 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " @@ -4258,7 +4333,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3630 +#: sssd.conf.5.xml:3693 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " @@ -4267,59 +4342,59 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3642 +#: sssd.conf.5.xml:3705 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3645 +#: sssd.conf.5.xml:3708 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3646 +#: sssd.conf.5.xml:3709 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3644 +#: sssd.conf.5.xml:3707 msgid "" "to configure password prompting, allowed options are: <placeholder type=" "\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3654 +#: sssd.conf.5.xml:3717 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3658 +#: sssd.conf.5.xml:3721 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3659 +#: sssd.conf.5.xml:3722 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3662 +#: sssd.conf.5.xml:3725 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3663 +#: sssd.conf.5.xml:3726 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd.conf.5.xml:3666 +#: sssd.conf.5.xml:3729 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3667 +#: sssd.conf.5.xml:3730 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " @@ -4327,14 +4402,14 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd.conf.5.xml:3656 +#: sssd.conf.5.xml:3719 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3637 +#: sssd.conf.5.xml:3700 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type=" @@ -4342,7 +4417,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3679 +#: sssd.conf.5.xml:3742 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " @@ -4350,12 +4425,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> -#: sssd.conf.5.xml:3686 idmap_sss.8.xml:43 +#: sssd.conf.5.xml:3749 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3692 +#: sssd.conf.5.xml:3755 #, no-wrap msgid "" "[sssd]\n" @@ -4385,7 +4460,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3688 +#: sssd.conf.5.xml:3751 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " @@ -4394,7 +4469,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3725 +#: sssd.conf.5.xml:3788 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" @@ -4402,7 +4477,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3719 +#: sssd.conf.5.xml:3782 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " @@ -4413,7 +4488,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd.conf.5.xml:3739 +#: sssd.conf.5.xml:3802 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" @@ -4427,7 +4502,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.conf.5.xml:3730 +#: sssd.conf.5.xml:3793 msgid "" "3. The following example shows the configuration for two certificate mapping " "rules. The first is valid for the configured domain <quote>my.domain</quote> " @@ -4483,12 +4558,12 @@ msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:60 +#: sssd-ldap.5.xml:66 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:63 +#: sssd-ldap.5.xml:69 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" @@ -4498,33 +4573,33 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +#: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:73 +#: sssd-ldap.5.xml:79 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:76 +#: sssd-ldap.5.xml:82 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:79 +#: sssd-ldap.5.xml:85 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:85 +#: sssd-ldap.5.xml:91 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:88 +#: sssd-ldap.5.xml:94 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " @@ -4533,71 +4608,71 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:95 +#: sssd-ldap.5.xml:101 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:99 +#: sssd-ldap.5.xml:105 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:105 +#: sssd-ldap.5.xml:111 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:108 +#: sssd-ldap.5.xml:114 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:112 +#: sssd-ldap.5.xml:118 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:116 +#: sssd-ldap.5.xml:122 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:119 +#: sssd-ldap.5.xml:125 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +#: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:700 sssd-ad.5.xml:286 -#: sss_override.8.xml:137 sss_override.8.xml:234 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:132 sssd-ad.5.xml:286 sss_override.8.xml:137 +#: sss_override.8.xml:234 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:129 +#: sssd-ldap.5.xml:135 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:134 +#: sssd-ldap.5.xml:140 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:137 +#: sssd-ldap.5.xml:143 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " @@ -4606,7 +4681,7 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:144 +#: sssd-ldap.5.xml:150 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " @@ -4617,12 +4692,12 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:158 +#: sssd-ldap.5.xml:164 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:161 +#: sssd-ldap.5.xml:167 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " @@ -4630,32 +4705,32 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:168 +#: sssd-ldap.5.xml:174 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:172 +#: sssd-ldap.5.xml:178 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:177 +#: sssd-ldap.5.xml:183 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:182 +#: sssd-ldap.5.xml:188 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:187 +#: sssd-ldap.5.xml:193 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:193 +#: sssd-ldap.5.xml:199 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " @@ -4666,37 +4741,37 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:203 +#: sssd-ldap.5.xml:209 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:209 +#: sssd-ldap.5.xml:215 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:212 +#: sssd-ldap.5.xml:218 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:216 +#: sssd-ldap.5.xml:222 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:220 +#: sssd-ldap.5.xml:226 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ldap.5.xml:226 +#: sssd-ldap.5.xml:232 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:233 +#: sssd-ldap.5.xml:239 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " @@ -4705,10729 +4780,10971 @@ msgid "" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:241 +#: sssd-ldap.5.xml:247 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:247 +#: sssd-ldap.5.xml:253 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:250 +#: sssd-ldap.5.xml:256 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:257 +#: sssd-ldap.5.xml:263 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:260 +#: sssd-ldap.5.xml:266 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:264 +#: sssd-ldap.5.xml:270 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:267 +#: sssd-ldap.5.xml:273 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:270 +#: sssd-ldap.5.xml:276 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:273 +#: sssd-ldap.5.xml:279 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:279 +#: sssd-ldap.5.xml:285 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:282 +#: sssd-ldap.5.xml:288 msgid "" "The authentication token of the default bind DN. Only clear text passwords " "are currently supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:289 -msgid "ldap_user_object_class (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:292 -msgid "The object class of a user entry in LDAP." +#: sssd-ldap.5.xml:295 +msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:295 -msgid "Default: posixAccount" +#: sssd-ldap.5.xml:298 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:301 -msgid "ldap_user_name (string)" +#: sssd-ldap.5.xml:311 +msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:304 -msgid "The LDAP attribute that corresponds to the user's login name." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:308 -msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +#: sssd-ldap.5.xml:314 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:315 -msgid "ldap_user_uid_number (string)" +#: sssd-ldap.5.xml:325 +msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:318 -msgid "The LDAP attribute that corresponds to the user's id." +#: sssd-ldap.5.xml:328 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:322 -msgid "Default: uidNumber" +#: sssd-ldap.5.xml:334 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:328 -msgid "ldap_user_gid_number (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:331 -msgid "The LDAP attribute that corresponds to the user's primary group id." +#: sssd-ldap.5.xml:349 +msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:335 sssd-ldap.5.xml:975 -msgid "Default: gidNumber" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:341 -msgid "ldap_user_primary_group (string)" +#: sssd-ldap.5.xml:352 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:344 +#: sssd-ldap.5.xml:359 msgid "" -"Active Directory primary group attribute for ID-mapping. Note that this " -"attribute should only be set manually if you are running the <quote>ldap</" -"quote> provider with ID mapping." +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:350 -msgid "Default: unset (LDAP), primaryGroupID (AD)" +#: sssd-ldap.5.xml:368 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:356 -msgid "ldap_user_gecos (string)" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:377 include/failover.xml:100 +msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:359 -msgid "The LDAP attribute that corresponds to the user's gecos field." +#: sssd-ldap.5.xml:386 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:363 -msgid "Default: gecos" +#: sssd-ldap.5.xml:391 +msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:369 -msgid "ldap_user_home_directory (string)" +#: sssd-ldap.5.xml:397 +msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:372 -msgid "The LDAP attribute that contains the name of the user's home directory." +#: sssd-ldap.5.xml:400 +msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:376 -msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:382 -msgid "ldap_user_shell (string)" +#: sssd-ldap.5.xml:404 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 sssd-ipa.5.xml:412 +#: sssd-ipa.5.xml:431 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:385 -msgid "The LDAP attribute that contains the path to the user's default shell." +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:409 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:389 -msgid "Default: loginShell" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:416 +msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:395 -msgid "ldap_user_uuid (string)" +#: sssd-ldap.5.xml:421 +msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:398 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +#: sssd-ldap.5.xml:424 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:402 sssd-ldap.5.xml:1001 +#: sssd-ldap.5.xml:430 msgid "" -"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " -"IPA" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:409 -msgid "ldap_user_objectsid (string)" +#: sssd-ldap.5.xml:442 +msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:412 +#: sssd-ldap.5.xml:445 msgid "" -"The LDAP attribute that contains the objectSID of an LDAP user object. This " -"is usually only necessary for ActiveDirectory servers." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1016 -msgid "Default: objectSid for ActiveDirectory, not set for other servers." +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:424 -msgid "ldap_user_modify_timestamp (string)" +#: sssd-ldap.5.xml:458 +msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:427 sssd-ldap.5.xml:1026 sssd-ldap.5.xml:1190 +#: sssd-ldap.5.xml:461 msgid "" -"The LDAP attribute that contains timestamp of the last modification of the " -"parent object." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:431 sssd-ldap.5.xml:1030 sssd-ldap.5.xml:1197 -msgid "Default: modifyTimestamp" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:437 -msgid "ldap_user_shadow_last_change (string)" +#: sssd-ldap.5.xml:484 +msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:440 +#: sssd-ldap.5.xml:487 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " -"the last password change)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:450 -msgid "Default: shadowLastChange" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:456 -msgid "ldap_user_shadow_min (string)" +#: sssd-ldap.5.xml:502 +msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:459 +#: sssd-ldap.5.xml:505 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " -"password age)." +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:468 -msgid "Default: shadowMin" +#: sssd-ldap.5.xml:513 sssd-ldap.5.xml:1489 +msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:474 -msgid "ldap_user_shadow_max (string)" +#: sssd-ldap.5.xml:519 +msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:477 +#: sssd-ldap.5.xml:522 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " -"password age)." +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:486 -msgid "Default: shadowMax" +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:527 include/failover.xml:84 +msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:492 -msgid "ldap_user_shadow_warning (string)" +#: sssd-ldap.5.xml:533 +msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:495 +#: sssd-ldap.5.xml:536 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password warning period)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:505 -msgid "Default: shadowWarning" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:511 -msgid "ldap_user_shadow_inactive (string)" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:514 +#: sssd-ldap.5.xml:542 msgid "" -"When using ldap_pwd_policy=shadow, this parameter contains the name of an " -"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " -"(password inactivity period)." +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:524 -msgid "Default: shadowInactive" +#: sssd-ldap.5.xml:548 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:530 -msgid "ldap_user_shadow_expire (string)" +#: sssd-ldap.5.xml:560 +msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:533 -msgid "" -"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " -"parameter contains the name of an LDAP attribute corresponding to its " -"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> counterpart (account expiration date)." +#: sssd-ldap.5.xml:563 +msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:543 -msgid "Default: shadowExpire" +#: sssd-ldap.5.xml:566 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:549 -msgid "ldap_user_krb_last_pwd_change (string)" +#: sssd-ldap.5.xml:581 +msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:552 +#: sssd-ldap.5.xml:584 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time of last password change in " -"kerberos." +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:558 -msgid "Default: krbLastPwdChange" +#: sssd-ldap.5.xml:590 +msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:564 -msgid "ldap_user_krb_password_expiration (string)" +#: sssd-ldap.5.xml:597 +msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:567 +#: sssd-ldap.5.xml:600 msgid "" -"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " -"an LDAP attribute storing the date and time when current password expires." +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:573 -msgid "Default: krbPasswordExpiration" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:579 -msgid "ldap_user_ad_account_expires (string)" +#: sssd-ldap.5.xml:606 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0. " +"Please note that there are some codepaths in SSSD, like the IPA HBAC " +"provider, that are only implemented using the dereference call, so even with " +"dereference explicitly disabled, those parts will still use dereference if " +"the server supports it and advertises the dereference control in the rootDSE " +"object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:582 +#: sssd-ldap.5.xml:617 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the expiration time of the account." +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:587 -msgid "Default: accountExpires" +#: sssd-ldap.5.xml:625 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:593 -msgid "ldap_user_ad_user_account_control (string)" +#: sssd-ldap.5.xml:638 +msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:596 +#: sssd-ldap.5.xml:641 msgid "" -"When using ldap_account_expire_policy=ad, this parameter contains the name " -"of an LDAP attribute storing the user account control bit field." +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:601 -msgid "Default: userAccountControl" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:607 -msgid "ldap_ns_account_lock (string)" +#: sssd-ldap.5.xml:647 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:610 +#: sssd-ldap.5.xml:651 msgid "" -"When using ldap_account_expire_policy=rhds or equivalent, this parameter " -"determines if access is allowed or not." +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:615 -msgid "Default: nsAccountLock" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:621 -msgid "ldap_user_nds_login_disabled (string)" +#: sssd-ldap.5.xml:658 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:624 +#: sssd-ldap.5.xml:664 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines if " -"access is allowed or not." +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:628 sssd-ldap.5.xml:642 -msgid "Default: loginDisabled" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:634 -msgid "ldap_user_nds_login_expiration_time (string)" +#: sssd-ldap.5.xml:670 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:637 -msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines until " -"which date access is granted." +#: sssd-ldap.5.xml:674 +msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:648 -msgid "ldap_user_nds_login_allowed_time_map (string)" +#: sssd-ldap.5.xml:680 +msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:651 +#: sssd-ldap.5.xml:683 msgid "" -"When using ldap_account_expire_policy=nds, this attribute determines the " -"hours of a day in a week when access is granted." +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:656 -msgid "Default: loginAllowedTimeMap" +#: sssd-ldap.5.xml:688 sssd-ldap.5.xml:706 sssd-ldap.5.xml:747 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:662 -msgid "ldap_user_principal (string)" +#: sssd-ldap.5.xml:695 +msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:665 +#: sssd-ldap.5.xml:698 msgid "" -"The LDAP attribute that contains the user's Kerberos User Principal Name " -"(UPN)." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:669 -msgid "Default: krbPrincipalName" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:675 -msgid "ldap_user_extra_attrs (string)" +#: sssd-ldap.5.xml:713 +msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:678 -msgid "" -"Comma-separated list of LDAP attributes that SSSD would fetch along with the " -"usual set of user attributes." +#: sssd-ldap.5.xml:716 +msgid "Specifies the file that contains the certificate for the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:683 -msgid "" -"The list can either contain LDAP attribute names only, or colon-separated " -"tuples of SSSD cache attribute name and LDAP attribute name. In case only " -"LDAP attribute name is specified, the attribute is saved to the cache " -"verbatim. Using a custom SSSD attribute name might be required by " -"environments that configure several SSSD domains with different LDAP schemas." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:726 +msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:693 -msgid "" -"Please note that several attribute names are reserved by SSSD, notably the " -"<quote>name</quote> attribute. SSSD would report an error if any of the " -"reserved attribute names is used as an extra attribute name." +#: sssd-ldap.5.xml:729 +msgid "Specifies the file that contains the client's key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:703 -msgid "ldap_user_extra_attrs = telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:738 +msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:706 +#: sssd-ldap.5.xml:741 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as " -"<quote>telephoneNumber</quote> to the cache." +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:710 -msgid "ldap_user_extra_attrs = phone:telephoneNumber" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:754 +msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:713 +#: sssd-ldap.5.xml:757 msgid "" -"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" -"quote> to the cache." +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:723 -msgid "ldap_user_ssh_public_key (string)" +#: sssd-ldap.5.xml:767 +msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:726 -msgid "The LDAP attribute that contains the user's SSH public keys." +#: sssd-ldap.5.xml:770 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1293 -msgid "Default: sshPublicKey" +#: sssd-ldap.5.xml:776 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:736 -msgid "ldap_force_upper_case_realm (boolean)" +#: sssd-ldap.5.xml:786 +msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:739 +#: sssd-ldap.5.xml:789 msgid "" -"Some directory servers, for example Active Directory, might deliver the " -"realm part of the UPN in lower case, which might cause the authentication to " -"fail. Set this option to a non-zero value if you want to use an upper-case " -"realm." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:752 -msgid "ldap_enumeration_refresh_timeout (integer)" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:755 -msgid "" -"Specifies how many seconds SSSD has to wait before refreshing its cache of " -"enumerated records." +#: sssd-ldap.5.xml:801 +msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:766 -msgid "ldap_purge_cache_timeout (integer)" +#: sssd-ldap.5.xml:807 +msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:769 +#: sssd-ldap.5.xml:810 msgid "" -"Determine how often to check the cache for inactive entries (such as groups " -"with no members and users who have never logged in) and remove them to save " -"space." +"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " +"tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:775 +#: sssd-ldap.5.xml:814 msgid "" -"Setting this option to zero will disable the cache cleanup operation. Please " -"note that if enumeration is enabled, the cleanup task is required in order " -"to detect entries removed from the server and can't be disabled. By default, " -"the cleanup task will run every 3 hours with enumeration enabled." +"If the backend supports sub-domains the value of ldap_sasl_mech is " +"automatically inherited to the sub-domains. If a different value is needed " +"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " +"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:790 -msgid "ldap_user_fullname (string)" +#: sssd-ldap.5.xml:830 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:842 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:793 -msgid "The LDAP attribute that corresponds to the user's full name." +#: sssd-ldap.5.xml:833 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " +"this represents the Kerberos principal used for authentication to the " +"directory. This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" +"myhost). By default, the value is not set and the following principals are " +"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " +"found, the first principal in keytab is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1222 -#: sssd-ldap.5.xml:1331 sssd-ldap.5.xml:2412 sssd-ipa.5.xml:622 -msgid "Default: cn" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:853 +msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:803 -msgid "ldap_user_member_of (string)" +#: sssd-ldap.5.xml:859 +msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:806 -msgid "The LDAP attribute that lists the user's group memberships." +#: sssd-ldap.5.xml:862 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:810 sssd-ldap.5.xml:1261 -msgid "Default: memberOf" +#: sssd-ldap.5.xml:868 +msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:816 -msgid "ldap_user_authorized_service (string)" +#: sssd-ldap.5.xml:874 +msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:819 +#: sssd-ldap.5.xml:877 msgid "" -"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " -"use the presence of the authorizedService attribute in the user's LDAP entry " -"to determine access privilege." +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:826 -msgid "" -"An explicit deny (!svc) is resolved first. Second, SSSD searches for " -"explicit allow (svc) and finally for allow_all (*)." +#: sssd-ldap.5.xml:882 +msgid "Default: false;" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:831 -msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>authorized_service</quote> in order for the " -"ldap_user_authorized_service option to work." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:888 +msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:838 -msgid "" -"Some distributions (such as Fedora-29+ or RHEL-8) always include the " -"<quote>systemd-user</quote> PAM service as part of the login process. " -"Therefore when using service-based access control, the <quote>systemd-user</" -"quote> service might need to be added to the list of allowed services." +#: sssd-ldap.5.xml:891 +msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:846 -msgid "Default: authorizedService" +#: sssd-ldap.5.xml:895 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:852 -msgid "ldap_user_authorized_host (string)" +#: sssd-ldap.5.xml:901 +msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:855 +#: sssd-ldap.5.xml:904 msgid "" -"If access_provider=ldap and ldap_access_order=host, SSSD will use the " -"presence of the host attribute in the user's LDAP entry to determine access " -"privilege." +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI or GSS-SPNEGO." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:861 -msgid "" -"An explicit deny (!host) is resolved first. Second, SSSD searches for " -"explicit allow (host) and finally for allow_all (*)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:916 +msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:866 +#: sssd-ldap.5.xml:919 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>host</quote> in order for the " -"ldap_user_authorized_host option to work." +"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:873 -msgid "Default: host" +#: sssd-ldap.5.xml:923 sssd-ad.5.xml:1090 +msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:879 -msgid "ldap_user_authorized_rhost (string)" +#: sssd-ldap.5.xml:929 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:882 +#: sssd-ldap.5.xml:932 msgid "" -"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " -"presence of the rhost attribute in the user's LDAP entry to determine access " -"privilege. Similarly to host verification process." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:889 +#: sssd-ldap.5.xml:944 sssd-krb5.5.xml:89 msgid "" -"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " -"explicit allow (rhost) and finally for allow_all (*)." +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:894 +#: sssd-ldap.5.xml:949 sssd-krb5.5.xml:94 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>rhost</quote> in order for the " -"ldap_user_authorized_rhost option to work." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:901 -msgid "Default: rhost" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:907 -msgid "ldap_user_certificate (string)" +#: sssd-ldap.5.xml:958 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:910 -msgid "Name of the LDAP attribute containing the X509 certificate of the user." +#: sssd-ldap.5.xml:961 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:914 -msgid "Default: userCertificate;binary" +#: sssd-ldap.5.xml:965 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:920 -msgid "ldap_user_email (string)" +#: sssd-ldap.5.xml:971 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:923 -msgid "Name of the LDAP attribute containing the email address of the user." +#: sssd-ldap.5.xml:974 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:986 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:927 +#: sssd-ldap.5.xml:989 sssd-krb5.5.xml:480 msgid "" -"Note: If an email address of a user conflicts with an email address or fully " -"qualified name of another user, then SSSD will not be able to serve those " -"users properly. If for some reason several users need to share the same " -"email address then set this option to a nonexistent attribute name in order " -"to disable user lookup/login by email." +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:936 -msgid "Default: mail" +#: sssd-ldap.5.xml:1000 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:942 -msgid "ldap_group_object_class (string)" +#: sssd-ldap.5.xml:1014 +msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:945 -msgid "The object class of a group entry in LDAP." +#: sssd-ldap.5.xml:1017 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:948 -msgid "Default: posixGroup" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:954 -msgid "ldap_group_name (string)" +#: sssd-ldap.5.xml:1022 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:957 -msgid "The LDAP attribute that corresponds to the group name." +#: sssd-ldap.5.xml:1027 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:961 -msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:968 -msgid "ldap_group_gid_number (string)" +#: sssd-ldap.5.xml:1033 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:971 -msgid "The LDAP attribute that corresponds to the group's id." +#: sssd-ldap.5.xml:1042 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:981 -msgid "ldap_group_member (string)" +#: sssd-ldap.5.xml:1050 +msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:984 -msgid "The LDAP attribute that contains the names of the group's members." +#: sssd-ldap.5.xml:1053 +msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:988 -msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:994 -msgid "ldap_group_uuid (string)" +#: sssd-ldap.5.xml:1057 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:997 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +#: sssd-ldap.5.xml:1062 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1008 -msgid "ldap_group_objectsid (string)" +#: sssd-ldap.5.xml:1076 +msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1011 -msgid "" -"The LDAP attribute that contains the objectSID of an LDAP group object. This " -"is usually only necessary for ActiveDirectory servers." +#: sssd-ldap.5.xml:1079 +msgid "Specifies the service name to use when service discovery is enabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1023 -msgid "ldap_group_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1083 +msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1036 -msgid "ldap_group_type (integer)" +#: sssd-ldap.5.xml:1089 +msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1039 +#: sssd-ldap.5.xml:1092 msgid "" -"The LDAP attribute that contains an integer value indicating the type of the " -"group and maybe other flags." +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1044 -msgid "" -"This attribute is currently only used by the AD provider to determine if a " -"group is a domain local groups and has to be filtered out for trusted " -"domains." +#: sssd-ldap.5.xml:1097 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1103 +msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1050 -msgid "Default: groupType in the AD provider, otherwise not set" +#: sssd-ldap.5.xml:1106 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1057 -msgid "ldap_group_external_member (string)" +#: sssd-ldap.5.xml:1118 +msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1060 +#: sssd-ldap.5.xml:1121 msgid "" -"The LDAP attribute that references group members that are defined in an " -"external domain. At the moment, only IPA's external members are supported." +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1066 -msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +#: sssd-ldap.5.xml:1141 +msgid "Example:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1073 -msgid "ldap_group_nesting_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:1144 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1076 +#: sssd-ldap.5.xml:1148 msgid "" -"If ldap_schema is set to a schema format that supports nested groups (e.g. " -"RFC2307bis), then this option controls how many levels of nesting SSSD will " -"follow. This option has no effect on the RFC2307 schema." +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1083 +#: sssd-ldap.5.xml:1153 msgid "" -"Note: This option specifies the guaranteed level of nested groups to be " -"processed for any lookup. However, nested groups beyond this limit " -"<emphasis>may be</emphasis> returned if previous lookups already resolved " -"the deeper nesting levels. Also, subsequent lookups for other groups may " -"enlarge the result set for original lookup if re-queried." +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1092 -msgid "" -"If ldap_group_nesting_level is set to 0 then no nested groups are processed " -"at all. However, when connected to Active-Directory Server 2008 and later " -"using <quote>id_provider=ad</quote> it is furthermore required to disable " -"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " -"restrict group nesting." +#: sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1218 +msgid "Default: Empty" msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1101 include/failover.xml:100 -msgid "Default: 2" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1110 +#: sssd-ldap.5.xml:1170 msgid "" -"This options enables or disables use of Token-Groups attribute when " -"performing initgroup for users from Active Directory Server 2008 and later." +"With this option a client side evaluation of access control attributes can " +"be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1115 -msgid "Default: True for AD and IPA otherwise False." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1121 -msgid "ldap_netgroup_object_class (string)" +#: sssd-ldap.5.xml:1174 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1124 -msgid "The object class of a netgroup entry in LDAP." +#: sssd-ldap.5.xml:1181 +msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1127 -msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +#: sssd-ldap.5.xml:1184 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1131 -msgid "Default: nisNetgroup" +#: sssd-ldap.5.xml:1189 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1137 -msgid "ldap_netgroup_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1196 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1140 -msgid "The LDAP attribute that corresponds to the netgroup name." +#: sssd-ldap.5.xml:1202 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1144 -msgid "In IPA provider, ipa_netgroup_name should be used instead." +#: sssd-ldap.5.xml:1211 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1154 -msgid "ldap_netgroup_member (string)" +#: sssd-ldap.5.xml:1224 +msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1157 -msgid "The LDAP attribute that contains the names of the netgroup's members." +#: sssd-ldap.5.xml:1227 +msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1161 -msgid "In IPA provider, ipa_netgroup_member should be used instead." +#: sssd-ldap.5.xml:1231 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1165 -msgid "Default: memberNisNetgroup" +#: sssd-ldap.5.xml:1234 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1171 -msgid "ldap_netgroup_triple (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1174 +#: sssd-ldap.5.xml:1251 msgid "" -"The LDAP attribute that contains the (host, user, domain) netgroup triples." +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1178 sssd-ldap.5.xml:1194 -msgid "This option is not available in IPA provider." +#: sssd-ldap.5.xml:1268 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1181 -msgid "Default: nisNetgroupTriple" +#: sssd-ldap.5.xml:1272 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1187 -msgid "ldap_netgroup_modify_timestamp (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1282 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1203 -msgid "ldap_host_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1290 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1206 -msgid "The object class of a host entry in LDAP." +#: sssd-ldap.5.xml:1294 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1209 sssd-ldap.5.xml:1318 -msgid "Default: ipService" +#: sssd-ldap.5.xml:1299 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1215 -msgid "ldap_host_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1304 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1244 -msgid "The LDAP attribute that corresponds to the host's name." +#: sssd-ldap.5.xml:1308 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1228 -msgid "ldap_host_fqdn (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1312 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1231 -msgid "" -"The LDAP attribute that corresponds to the host's fully-qualified domain " -"name." +#: sssd-ldap.5.xml:1317 +msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1235 -msgid "Default: fqdn" +#: sssd-ldap.5.xml:1320 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1241 -msgid "ldap_host_serverhostname (string)" +#: sssd-ldap.5.xml:1327 +msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1248 -msgid "Default: serverHostname" +#: sssd-ldap.5.xml:1330 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1254 -msgid "ldap_host_member_of (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1338 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1257 -msgid "The LDAP attribute that lists the host's group memberships." +#: sssd-ldap.5.xml:1341 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1267 -msgid "ldap_host_search_base (string)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1270 -msgid "Optional. Use the given string as search base for host objects." +#: sssd-ldap.5.xml:1347 +msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1274 sssd-ipa.5.xml:374 sssd-ipa.5.xml:393 -#: sssd-ipa.5.xml:412 sssd-ipa.5.xml:431 +#: sssd-ldap.5.xml:1350 msgid "" -"See <quote>ldap_search_base</quote> for information about configuring " -"multiple search bases." +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" msgstr "" -#. type: Content of: <listitem><para> -#: sssd-ldap.5.xml:1279 sssd-ipa.5.xml:379 include/ldap_search_bases.xml:27 -msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1355 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1286 -msgid "ldap_host_ssh_public_key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1359 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1289 -msgid "The LDAP attribute that contains the host's SSH public keys." +#: sssd-ldap.5.xml:1364 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1299 -msgid "ldap_host_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1369 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1302 -msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +#: sssd-ldap.5.xml:1374 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1312 -msgid "ldap_service_object_class (string)" +#: sssd-ldap.5.xml:1382 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1315 -msgid "The object class of a service entry in LDAP." +#: sssd-ldap.5.xml:1385 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1324 -msgid "ldap_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1389 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1327 +#: sssd-ldap.5.xml:1400 msgid "" -"The LDAP attribute that contains the name of service attributes and their " -"aliases." +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1337 -msgid "ldap_service_port (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1412 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1340 -msgid "The LDAP attribute that contains the port managed by this service." +#: sssd-ldap.5.xml:1415 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1344 -msgid "Default: ipServicePort" +#: sssd-ldap.5.xml:1419 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1350 -msgid "ldap_service_proto (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1423 +msgid "Default: 1000 (often the size of one page)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1353 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 msgid "" -"The LDAP attribute that contains the protocols understood by this service." +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. Note that SSSD " +"LDAP mapping attributes are described in the <citerefentry> " +"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1357 -msgid "Default: ipServiceProtocol" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1433 +msgid "SUDO OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1363 -msgid "ldap_service_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1435 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1368 -msgid "ldap_search_timeout (integer)" +#: sssd-ldap.5.xml:1446 +msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1371 +#: sssd-ldap.5.xml:1449 msgid "" -"Specifies the timeout (in seconds) that ldap searches are allowed to run " -"before they are cancelled and cached results are returned (and offline mode " -"is entered)" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1377 +#: sssd-ldap.5.xml:1454 msgid "" -"Note: this option is subject to change in future versions of the SSSD. It " -"will likely be replaced at some point by a series of timeouts for specific " -"lookup types." +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1459 +msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1389 -msgid "ldap_enumeration_search_timeout (integer)" +#: sssd-ldap.5.xml:1465 +msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1392 +#: sssd-ldap.5.xml:1468 msgid "" -"Specifies the timeout (in seconds) that ldap searches for user and group " -"enumerations are allowed to run before they are cancelled and cached results " -"are returned (and offline mode is entered)" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest " +"server USN value that is currently known by SSSD)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1405 -msgid "ldap_network_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1474 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1408 +#: sssd-ldap.5.xml:1478 msgid "" -"Specifies the timeout (in seconds) after which the <citerefentry> " -"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" -"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" -"manvolnum> </citerefentry> following a <citerefentry> " -"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" -"citerefentry> returns in case of no activity." +"<emphasis>Note:</emphasis> the highest USN value can be updated by three " +"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " +"enumeration of users and groups (if enabled and updated users or groups are " +"found) and 3) by reconnecting to the server (by default every 15 minutes, " +"see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1431 -msgid "ldap_opt_timeout (integer)" +#: sssd-ldap.5.xml:1495 +msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1434 +#: sssd-ldap.5.xml:1498 msgid "" -"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " -"will abort if no response is received. Also controls the timeout when " -"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " -"operation, password change extended operation and the StartTLS operation." +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1449 -msgid "ldap_connection_expire_timeout (integer)" +#: sssd-ldap.5.xml:1509 +msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1452 +#: sssd-ldap.5.xml:1512 msgid "" -"Specifies a timeout (in seconds) that a connection to an LDAP server will be " -"maintained. After this time, the connection will be re-established. If used " -"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " -"the TGT lifetime) will be used." +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1460 sssd-ldap.5.xml:2580 -msgid "Default: 900 (15 minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1466 -msgid "ldap_page_size (integer)" +#: sssd-ldap.5.xml:1517 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1469 +#: sssd-ldap.5.xml:1522 sssd-ldap.5.xml:1545 sssd-ldap.5.xml:1563 +#: sssd-ldap.5.xml:1581 msgid "" -"Specify the number of records to retrieve from LDAP in a single request. " -"Some LDAP servers enforce a maximum limit per-request." +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1474 include/failover.xml:84 -msgid "Default: 1000" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1527 sssd-ldap.5.xml:1550 +msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1480 -msgid "ldap_disable_paging (boolean)" +#: sssd-ldap.5.xml:1533 +msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1483 +#: sssd-ldap.5.xml:1536 msgid "" -"Disable the LDAP paging control. This option should be used if the LDAP " -"server reports that it supports the LDAP paging control in its RootDSE but " -"it is not enabled or does not behave properly." +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1489 +#: sssd-ldap.5.xml:1541 msgid "" -"Example: OpenLDAP servers with the paging control module installed on the " -"server but not enabled will report it in the RootDSE but be unable to use it." +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1556 +msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1495 +#: sssd-ldap.5.xml:1559 msgid "" -"Example: 389 DS has a bug where it can only support a one paging control at " -"a time on a single connection. On busy clients, this can result in some " -"requests being denied." +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1507 -msgid "ldap_disable_range_retrieval (boolean)" +#: sssd-ldap.5.xml:1574 +msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1510 -msgid "Disable Active Directory range retrieval." +#: sssd-ldap.5.xml:1577 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1513 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> +#: sssd-ldap.5.xml:1587 msgid "" -"Active Directory limits the number of members to be retrieved in a single " -"lookup using the MaxValRange policy (which defaults to 1500 members). If a " -"group contains more members, the reply would include an AD-specific range " -"extension. This option disables parsing of the range extension, therefore " -"large groups will appear as having no members." +"Using wildcard is an operation that is very costly to evaluate on the LDAP " +"server side!" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1528 -msgid "ldap_sasl_minssf (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1599 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1531 -msgid "" -"When communicating with an LDAP server using SASL, specify the minimum " -"security level necessary to establish the connection. The values of this " -"option are defined by OpenLDAP." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1609 +msgid "AUTOFS OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1537 -msgid "Default: Use the system default (usually specified by ldap.conf)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1544 -msgid "ldap_deref_threshold (integer)" +#: sssd-ldap.5.xml:1617 +msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1547 -msgid "" -"Specify the number of group members that must be missing from the internal " -"cache in order to trigger a dereference lookup. If less members are missing, " -"they are looked up individually." +#: sssd-ldap.5.xml:1620 +msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1553 -msgid "" -"You can turn off dereference lookups completely by setting the value to 0. " -"Please note that there are some codepaths in SSSD, like the IPA HBAC " -"provider, that are only implemented using the dereference call, so even with " -"dereference explicitly disabled, those parts will still use dereference if " -"the server supports it and advertises the dereference control in the rootDSE " -"object." +#: sssd-ldap.5.xml:1623 +msgid "Default: auto.master" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1564 -msgid "" -"A dereference lookup is a means of fetching all group members in a single " -"LDAP call. Different LDAP servers may implement different dereference " -"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " -"Directory." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1634 +msgid "ADVANCED OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1572 -msgid "" -"<emphasis>Note:</emphasis> If any of the search bases specifies a search " -"filter, then the dereference lookup performance enhancement will be disabled " -"regardless of this setting." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1641 +msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1585 -msgid "ldap_tls_reqcert (string)" +#: sssd-ldap.5.xml:1646 +msgid "ldap_user_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1588 -msgid "" -"Specifies what checks to perform on server certificates in a TLS session, if " -"any. It can be specified as one of the following values:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1651 +msgid "ldap_group_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1594 -msgid "" -"<emphasis>never</emphasis> = The client will not request or check any server " -"certificate." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:1656 +msgid "<note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1598 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:1658 msgid "" -"<emphasis>allow</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, it will be ignored and the session proceeds normally." +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1605 -msgid "" -"<emphasis>try</emphasis> = The server certificate is requested. If no " -"certificate is provided, the session proceeds normally. If a bad certificate " -"is provided, the session is immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:1665 +msgid "</note>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1611 -msgid "" -"<emphasis>demand</emphasis> = The server certificate is requested. If no " -"certificate is provided, or a bad certificate is provided, the session is " -"immediately terminated." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1667 +msgid "ldap_sudo_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1617 -msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1672 +msgid "ldap_autofs_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1621 -msgid "Default: hard" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1627 -msgid "ldap_tls_cacert (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1687 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 +#: sssd-ad.5.xml:1209 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1630 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1689 msgid "" -"Specifies the file that contains certificates for all of the Certificate " -"Authorities that <command>sssd</command> will recognize." +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1635 sssd-ldap.5.xml:1653 sssd-ldap.5.xml:1694 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1695 +#, no-wrap msgid "" -"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." -"conf</filename>" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1642 -msgid "ldap_tls_cacertdir (string)" +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:1694 sssd-ldap.5.xml:1712 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1217 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 +#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1645 +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1706 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1708 msgid "" -"Specifies the path of a directory that contains Certificate Authority " -"certificates in separate individual files. Typically the file names need to " -"be the hash of the certificate followed by '.0'. If available, " -"<command>cacertdir_rehash</command> can be used to create the correct names." +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1660 -msgid "ldap_tls_cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:1713 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1663 -msgid "Specifies the file that contains the certificate for the client's key." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:1728 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1232 sssd.8.xml:257 sss_seed.8.xml:163 +msgid "NOTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1673 -msgid "ldap_tls_key (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:1730 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1676 -msgid "Specifies the file that contains the client's key." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1685 -msgid "ldap_tls_cipher_suite (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1688 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 msgid "" -"Specifies acceptable cipher suites. Typically this is a colon separated " -"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry> for format." +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " +"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " +"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1701 -msgid "ldap_id_use_start_tls (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:64 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1704 -msgid "" -"Specifies that the id_provider connection must also use <systemitem class=" -"\"protocol\">tls</systemitem> to protect the channel." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:74 +msgid "<option>quiet</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1714 -msgid "ldap_id_mapping (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:77 +msgid "Suppress log messages for unknown users." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1717 -msgid "" -"Specifies that SSSD should attempt to map user and group IDs from the " -"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " -"on ldap_user_uid_number and ldap_group_gid_number." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:82 +msgid "<option>forward_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1723 -msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:85 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1733 -msgid "ldap_min_id, ldap_max_id (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:92 +msgid "<option>use_first_pass</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1736 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:95 msgid "" -"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " -"set to true the allowed ID range for ldap_user_uid_number and " -"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " -"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " -"can be set to restrict the allowed range for the IDs which are read directly " -"from the server. Sub-domains can then pick other ranges to map IDs." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1748 -msgid "Default: not set (both options are set to 0)" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1754 -msgid "ldap_sasl_mech (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:103 +msgid "<option>use_authtok</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1757 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:106 msgid "" -"Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " -"tested and supported." +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1761 -msgid "" -"If the backend supports sub-domains the value of ldap_sasl_mech is " -"automatically inherited to the sub-domains. If a different value is needed " -"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " -"sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:113 +msgid "<option>retry=N</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1777 -msgid "ldap_sasl_authid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:116 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ldap.5.xml:1789 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:118 msgid "" -"hostname@REALM\n" -"netbiosname$@REALM\n" -"host/hostname@REALM\n" -"*$@REALM\n" -"host/*@REALM\n" -"host/*\n" -" " +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1780 -msgid "" -"Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " -"this represents the Kerberos principal used for authentication to the " -"directory. This option can either contain the full principal (for example " -"host/myhost@EXAMPLE.COM) or just the principal name (for example host/" -"myhost). By default, the value is not set and the following principals are " -"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " -"found, the first principal in keytab is returned." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:127 +msgid "<option>ignore_unknown_user</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1800 -msgid "Default: host/hostname@REALM" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:130 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1806 -msgid "ldap_sasl_realm (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:137 +msgid "<option>ignore_authinfo_unavail</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1809 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:141 msgid "" -"Specify the SASL realm to use. When not specified, this option defaults to " -"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " -"well, this option is ignored." +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1815 -msgid "Default: the value of krb5_realm." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:148 +msgid "<option>domains</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1821 -msgid "ldap_sasl_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1824 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:158 msgid "" -"If set to true, the LDAP library would perform a reverse lookup to " -"canonicalize the host name during a SASL bind." +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1829 -msgid "Default: false;" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:172 +msgid "<option>allow_missing_name</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1835 -msgid "ldap_krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:176 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1838 -msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:186 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1842 -msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:181 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1848 -msgid "ldap_krb5_init_creds (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:196 +msgid "<option>prompt_always</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1851 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:200 msgid "" -"Specifies that the id_provider should init Kerberos credentials (TGT). This " -"action is performed only if SASL is used and the mechanism selected is " -"GSSAPI or GSS-SPNEGO." +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1863 -msgid "ldap_krb5_ticket_lifetime (integer)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:211 +msgid "<option>try_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1866 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:215 msgid "" -"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." +"Try to use certificate based authentication, i.e. authentication with a " +"Smartcard or similar devices. If a Smartcard is available and the service is " +"allowed for Smartcard authentication the user will be prompted for a PIN and " +"the certificate based authentication will continue" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1870 sssd-ad.5.xml:978 -msgid "Default: 86400 (24 hours)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:223 +msgid "" +"If no Smartcard is available or certificate based authentication is not " +"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1876 sssd-krb5.5.xml:74 -msgid "krb5_server, krb5_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:231 +msgid "<option>require_cert_auth</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1879 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:235 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled - for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"Do certificate based authentication, i.e. authentication with a Smartcard " +"or similar devices. If a Smartcard is not available the user will be " +"prompted to insert one. SSSD will wait for a Smartcard until the timeout " +"defined by p11_wait_for_card_timeout passed, please see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1891 sssd-krb5.5.xml:89 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:245 msgid "" -"When using service discovery for KDC or kpasswd servers, SSSD first searches " -"for DNS entries that specify _udp as the protocol and falls back to _tcp if " -"none are found." +"If no Smartcard is available after the timeout or certificate based " +"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " +"is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1896 sssd-krb5.5.xml:94 -msgid "" -"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " -"While the legacy name is recognized for the time being, users are advised to " -"migrate their config files to use <quote>krb5_server</quote> instead." +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:255 +msgid "MODULE TYPES PROVIDED" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1905 sssd-ipa.5.xml:443 sssd-krb5.5.xml:103 -msgid "krb5_realm (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:256 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1908 -msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:259 +msgid "" +"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " +"not available, pam_sss will return PAM_USER_UNKNOWN when called as " +"<option>account</option> module to avoid issues with users from other " +"sources during access control." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1912 -msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:266 +msgid "FILES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1918 sssd-krb5.5.xml:462 -msgid "krb5_canonicalize (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:267 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1921 -msgid "" -"Specifies if the host principal should be canonicalized when connecting to " -"LDAP server. This feature is available with MIT Kerberos >= 1.7" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1933 sssd-krb5.5.xml:477 -msgid "krb5_use_kdcinfo (boolean)" +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:272 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1936 sssd-krb5.5.xml:480 +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:282 msgid "" -"Specifies if the SSSD should instruct the Kerberos libraries what realm and " -"which KDCs to use. This option is on by default, if you disable it, you need " -"to configure the Kerberos library using the <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> configuration file." +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:491 -msgid "" -"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " -"information on the locator plugin." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1961 -msgid "ldap_pwd_policy (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1964 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 msgid "" -"Select the policy to evaluate the password expiration on the client side. " -"The following values are allowed:" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " +"a plugin to guide all Kerberos clients on a system to a single KDC. In " +"general it should not matter to which KDC a client process is talking to. " +"But there are cases, e.g. after a password change, where not all KDCs are in " +"the same state because the new data has to be replicated first. To avoid " +"unexpected authentication failures and maybe even account lockings it would " +"be good to talk to a single KDC as long as possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1969 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:34 msgid "" -"<emphasis>none</emphasis> - No evaluation on the client side. This option " -"cannot disable server-side password policies." +"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " +"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for details. The plugin can only be disabled by removing the " +"plugin file. There is no option in the Kerberos configuration to disable it. " +"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " +"disable the plugin for individual commands. Alternatively the SSSD option " +"krb5_use_kdcinfo=False can be used to not generate the data needed by the " +"plugin. With this the plugin is still called but will provide no data to the " +"caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1974 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:50 msgid "" -"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " -"evaluate if the password has expired." +"The plugin reads the information about the KDCs of a given realm from a file " +"called <filename>kdcinfo.REALM</filename>. The file should contain one or " +"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " +"hexadecimal IPv6 notation. An optional port number can be added to the end " +"separated with a colon, the IPv6 address has to be enclosed in squared " +"brackets in this case as usual. Valid entries are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1980 -msgid "" -"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " -"to determine if the password has expired. Use chpass_provider=krb5 to update " -"these attributes when the password is changed." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:58 +msgid "kdc.example.com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:1989 -msgid "" -"<emphasis>Note</emphasis>: if a password policy is configured on server " -"side, it always takes precedence over policy set with this option." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:59 +msgid "kdc.example.com:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:1997 -msgid "ldap_referrals (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:60 +msgid "1.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2000 -msgid "Specifies whether automatic referral chasing should be enabled." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:61 +msgid "5.6.7.8:99" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2004 -msgid "" -"Please note that sssd only supports referral chasing when it is compiled " -"with OpenLDAP version 2.4.13 or higher." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:62 +msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2009 -msgid "" -"Chasing referrals may incur a performance penalty in environments that use " -"them heavily, a notable example is Microsoft Active Directory. If your setup " -"does not in fact require the use of referrals, setting this option to false " -"might bring a noticeable performance improvement." +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2023 -msgid "ldap_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:65 +msgid "" +"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " +"adds the address of the current KDC or domain controller SSSD is using to " +"this file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2026 -msgid "Specifies the service name to use when service discovery is enabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:70 +msgid "" +"In environments with read-only and read-write KDCs where clients are " +"expected to use the read-only instances for the general operations and only " +"the read-write KDC for config changes like password changes a " +"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" +"write KDCs. If this file exists for the given realm the content will be used " +"by the plugin to reply to requests for a kpasswd or kadmin server or for the " +"MIT Kerberos specific master KDC. If the address contains a port number the " +"default KDC port 88 will be used for the latter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2030 -msgid "Default: ldap" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:85 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2036 -msgid "ldap_chpass_dns_service_name (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:91 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2039 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:95 msgid "" -"Specifies the service name to use to find an LDAP server which allows " -"password changes when service discovery is enabled." +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2044 -msgid "Default: not set, i.e. service discovery is disabled" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:100 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " +"any value plugin will try to resolve all DNS names in kdcinfo file. By " +"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " +"first DNS resolving failure." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2050 -msgid "ldap_chpass_update_last_change (bool)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2053 -msgid "" -"Specifies whether to update the ldap_user_shadow_last_change attribute with " -"days since the Epoch after a password change operation." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2065 -msgid "ldap_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2068 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 msgid "" -"If using access_provider = ldap and ldap_access_order = filter (default), " -"this option is mandatory. It specifies an LDAP search filter criteria that " -"must be met for the user to be granted access on this host. If " -"access_provider = ldap, ldap_access_order = filter and this option is not " -"set, it will result in all users being denied access. Use access_provider = " -"permit to change this default behavior. Please note that this filter is " -"applied on the LDAP user entry only and thus filtering based on nested " -"groups may not work (e.g. memberOf attribute on AD entries points only to " -"direct parents). If filtering based on nested groups is required, please see " -"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry>." +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2088 -msgid "Example:" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ldap.5.xml:2091 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 msgid "" -"access_provider = ldap\n" -"ldap_access_filter = (employeeType=admin)\n" -" " +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2095 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 msgid "" -"This example means that access to this host is restricted to users whose " -"employeeType attribute is set to \"admin\"." +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2100 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 msgid "" -"Offline caching for this feature is limited to determining whether the " -"user's last online login was granted access permission. If they were granted " -"access during their last login, they will continue to be granted access " -"while offline and vice versa." +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2108 sssd-ldap.5.xml:2165 -msgid "Default: Empty" +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2114 -msgid "ldap_account_expire_policy (string)" +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2117 -msgid "" -"With this option a client side evaluation of access control attributes can " -"be enabled." +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2121 +#: sssd-simple.5.xml:100 msgid "" -"Please note that it is always recommended to use server side access control, " -"i.e. the LDAP server should deny the bind request with a suitable error code " -"even if the password is correct." +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2128 -msgid "The following values are allowed:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2131 +#: sssd-simple.5.xml:111 msgid "" -"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " -"determine if the account is expired." +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2136 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 msgid "" -"<emphasis>ad</emphasis>: use the value of the 32bit field " -"ldap_user_ad_user_account_control and allow access if the second bit is not " -"set. If the attribute is missing access is granted. Also the expiration time " -"of the account is checked." +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2143 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 msgid "" -"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" -"emphasis>: use the value of ldap_ns_account_lock to check if access is " -"allowed or not." +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2149 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 msgid "" -"<emphasis>nds</emphasis>: the values of " -"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " -"ldap_user_nds_login_expiration_time are used to check if access is allowed. " -"If both attributes are missing access is granted." +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2158 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 msgid "" -"Please note that the ldap_access_order configuration option <emphasis>must</" -"emphasis> include <quote>expire</quote> in order for the " -"ldap_account_expire_policy option to work." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2171 -msgid "ldap_access_order (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2174 -msgid "Comma separated list of access control options. Allowed values are:" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2178 -msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2181 -msgid "" -"<emphasis>lockout</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " -"Please note that 'access_provider = ldap' must be set for this feature to " -"work." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 msgid "" -"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" -"quote> option and might be removed in a future release. </emphasis>" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2198 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 msgid "" -"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " -"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " -"and has value of '000001010000Z' or represents any time in the past. The " -"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " -"denotes the UTC time zone. Other time zones are not currently supported and " -"will result in \"access-denied\" when users attempt to log in. Please see " -"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " -"must be set for this feature to work." +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2215 -msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2219 -msgid "" -"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " -"pwd_expire_policy_renew: </emphasis> These options are useful if users are " -"interested in being warned that password is about to expire and " -"authentication is based on using a different method than passwords - for " -"example SSH keys." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2229 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 msgid "" -"The difference between these options is the action taken if user password is " -"expired: pwd_expire_policy_reject - user is denied to log in, " -"pwd_expire_policy_warn - user is still able to log in, " -"pwd_expire_policy_renew - user is prompted to change his password " -"immediately." +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2237 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 msgid "" -"Note If user password is expired no explicit message is prompted by SSSD." +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2241 -msgid "" -"Please note that 'access_provider = ldap' must be set for this feature to " -"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2246 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 msgid "" -"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " -"to determine access" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2251 -msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2255 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 msgid "" -"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " -"remote host can access" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2259 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 msgid "" -"Please note, rhost field in pam is set by application, it is better to check " -"what the application sends to pam, before enabling this access control option" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2264 -msgid "Default: filter" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2267 -msgid "" -"Please note that it is a configuration error if a value is used more than " -"once." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2274 -msgid "ldap_pwdlockout_dn (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2277 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 msgid "" -"This option specifies the DN of password policy entry on LDAP server. Please " -"note that absence of this option in sssd.conf in case of enabled account " -"lockout checking will yield access denied as ppolicy attributes on LDAP " -"server cannot be checked properly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2285 -msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2288 -msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2294 -msgid "ldap_deref (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2297 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 msgid "" -"Specifies how alias dereferencing is done when performing a search. The " -"following options are allowed:" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2302 -msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2306 -msgid "" -"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " -"the base object, but not in locating the base object of the search." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2311 -msgid "" -"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " -"the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2316 -msgid "" -"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " -"in locating the base object of the search." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2321 -msgid "" -"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " -"client libraries)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2329 -msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2332 -msgid "" -"Allows to retain local users as members of an LDAP group for servers that " -"use the RFC2307 schema." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2336 -msgid "" -"In some environments where the RFC2307 schema is used, local users are made " -"members of LDAP groups by adding their names to the memberUid attribute. " -"The self-consistency of the domain is compromised when this is done, so SSSD " -"would normally remove the \"missing\" users from the cached group " -"memberships as soon as nsswitch tries to fetch information about the user " -"via getpw*() or initgroups() calls." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2347 -msgid "" -"This option falls back to checking if local users are referenced, and caches " -"them so that later initgroups() calls will augment the local users with the " -"additional LDAP groups." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2359 sssd-ifp.5.xml:136 -msgid "wildcard_limit (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2362 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2366 -msgid "At the moment, only the InfoPipe responder supports wildcard lookups." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2370 -msgid "Default: 1000 (often the size of one page)" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:51 -msgid "" -"All of the common configuration options that apply to SSSD domains also " -"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for full details. <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2380 -msgid "SUDO OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2382 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 msgid "" -"The detailed instructions for configuration of sudo_provider are in the " -"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>." +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2393 -msgid "ldap_sudorule_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2396 -msgid "The object class of a sudo rule entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2399 -msgid "Default: sudoRole" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2405 -msgid "ldap_sudorule_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2408 -msgid "The LDAP attribute that corresponds to the sudo rule name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2418 -msgid "ldap_sudorule_command (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2421 -msgid "The LDAP attribute that corresponds to the command name." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2425 -msgid "Default: sudoCommand" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2431 -msgid "ldap_sudorule_host (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2434 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 msgid "" -"The LDAP attribute that corresponds to the host name (or host IP address, " -"host IP network, or host netgroup)" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2439 -msgid "Default: sudoHost" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2445 -msgid "ldap_sudorule_user (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2448 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 msgid "" -"The LDAP attribute that corresponds to the user name (or UID, group name or " -"user's netgroup)" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2452 -msgid "Default: sudoUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2458 -msgid "ldap_sudorule_option (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2461 -msgid "The LDAP attribute that corresponds to the sudo options." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2465 -msgid "Default: sudoOption" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2471 -msgid "ldap_sudorule_runasuser (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2474 -msgid "" -"The LDAP attribute that corresponds to the user name that commands may be " -"run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2478 -msgid "Default: sudoRunAsUser" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2484 -msgid "ldap_sudorule_runasgroup (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2487 -msgid "" -"The LDAP attribute that corresponds to the group name or group GID that " -"commands may be run as." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2491 -msgid "Default: sudoRunAsGroup" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2497 -msgid "ldap_sudorule_notbefore (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2500 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 msgid "" -"The LDAP attribute that corresponds to the start date/time for when the sudo " -"rule is valid." +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2504 -msgid "Default: sudoNotBefore" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2510 -msgid "ldap_sudorule_notafter (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2513 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 msgid "" -"The LDAP attribute that corresponds to the expiration date/time, after which " -"the sudo rule will no longer be valid." +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2518 -msgid "Default: sudoNotAfter" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2524 -msgid "ldap_sudorule_order (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2527 -msgid "The LDAP attribute that corresponds to the ordering index of the rule." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2531 -msgid "Default: sudoOrder" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2537 -msgid "ldap_sudo_full_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2540 -msgid "" -"How many seconds SSSD will wait between executing a full refresh of sudo " -"rules (which downloads all rules that are stored on the server)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2545 -msgid "" -"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" -"emphasis>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2550 -msgid "Default: 21600 (6 hours)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2556 -msgid "ldap_sudo_smart_refresh_interval (integer)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2559 -msgid "" -"How many seconds SSSD has to wait before executing a smart refresh of sudo " -"rules (which downloads all rules that have USN higher than the highest " -"server USN value that is currently known by SSSD)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2565 -msgid "" -"If USN attributes are not supported by the server, the modifyTimestamp " -"attribute is used instead." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2569 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 msgid "" -"<emphasis>Note:</emphasis> the highest USN value can be updated by three " -"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " -"enumeration of users and groups (if enabled and updated users or groups are " -"found) and 3) by reconnecting to the server (by default every 15 minutes, " -"see <emphasis>ldap_connection_expire_timeout</emphasis>)." +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2586 -msgid "ldap_sudo_use_host_filter (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2589 -msgid "" -"If true, SSSD will download only rules that are applicable to this machine " -"(using the IPv4 or IPv6 host/network addresses and hostnames)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2600 -msgid "ldap_sudo_hostnames (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2603 -msgid "" -"Space separated list of hostnames or fully qualified domain names that " -"should be used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2608 -msgid "" -"If this option is empty, SSSD will try to discover the hostname and the " -"fully qualified domain name automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2613 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 -#: sssd-ldap.5.xml:2672 -msgid "" -"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" -"emphasis> then this option has no effect." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2641 -msgid "Default: not specified" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2624 -msgid "ldap_sudo_ip (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2627 -msgid "" -"Space separated list of IPv4 or IPv6 host/network addresses that should be " -"used to filter the rules." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2632 -msgid "" -"If this option is empty, SSSD will try to discover the addresses " -"automatically." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2647 -msgid "ldap_sudo_include_netgroups (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2650 -msgid "" -"If true then SSSD will download every rule that contains a netgroup in " -"sudoHost attribute." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2665 -msgid "ldap_sudo_include_regexp (boolean)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2668 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 msgid "" -"If true then SSSD will download every rule that contains a wildcard in " -"sudoHost attribute." +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> -#: sssd-ldap.5.xml:2678 -msgid "" -"Using wildcard is an operation that is very costly to evaluate on the LDAP " -"server side!" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2690 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 msgid "" -"This manual page only describes attribute name mapping. For detailed " -"explanation of sudo related attribute semantics, see <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2700 -msgid "AUTOFS OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2702 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 msgid "" -"Some of the defaults for the parameters below are dependent on the LDAP " -"schema." +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2708 -msgid "ldap_autofs_map_master_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2711 -msgid "The name of the automount master map in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2714 -msgid "Default: auto.master" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2721 -msgid "ldap_autofs_map_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2724 -msgid "The object class of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2727 -msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2735 -msgid "ldap_autofs_map_name (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2738 -msgid "The name of an automount map entry in LDAP." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2741 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 msgid "" -"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2749 -msgid "ldap_autofs_entry_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2752 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 msgid "" -"The object class of an automount entry in LDAP. The entry usually " -"corresponds to a mount point." +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2757 -msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2765 -msgid "ldap_autofs_entry_key (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2768 sssd-ldap.5.xml:2783 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 msgid "" -"The key of an automount entry in LDAP. The entry usually corresponds to a " -"mount point." +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2772 -msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2780 -msgid "ldap_autofs_entry_value (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ldap.5.xml:2787 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 msgid "" -"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " -"automountInformation" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2706 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 msgid "" -"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " -"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" -"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2798 -msgid "ADVANCED OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2805 -msgid "ldap_netgroup_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2810 -msgid "ldap_user_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2815 -msgid "ldap_group_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> -#: sssd-ldap.5.xml:2820 -msgid "<note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> -#: sssd-ldap.5.xml:2822 -msgid "" -"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " -"against Active Directory will not be restricted and return all groups " -"memberships, even with no GID mapping. It is recommended to disable this " -"feature, if group names are not being displayed correctly." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist> -#: sssd-ldap.5.xml:2829 -msgid "</note>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2831 -msgid "ldap_sudo_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ldap.5.xml:2836 -msgid "ldap_autofs_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2800 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 msgid "" -"These options are supported by LDAP domains, but they should be used with " -"caution. Please include them in your configuration only if you know what you " -"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" -"\"variablelist\" id=\"1\"/>" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2851 sssd-simple.5.xml:131 sssd-ipa.5.xml:843 -#: sssd-ad.5.xml:1097 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 -#: sssd-files.5.xml:130 sssd-session-recording.5.xml:144 -msgid "EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2853 -msgid "" -"The following example assumes that SSSD is correctly configured and LDAP is " -"set to one of the domains in the <replaceable>[domains]</replaceable> " -"section." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2859 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." msgstr "" -#. type: Content of: <refsect1><refsect2><para> -#: sssd-ldap.5.xml:2858 sssd-ldap.5.xml:2876 sssd-simple.5.xml:139 -#: sssd-ipa.5.xml:851 sssd-ad.5.xml:1105 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 -#: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:150 -#: include/ldap_id_mapping.xml:105 -msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2870 -msgid "LDAP ACCESS FILTER EXAMPLE" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2872 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 msgid "" -"The following example assumes that SSSD is correctly configured and to use " -"the ldap_access_order=lockout." +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ldap.5.xml:2877 -#, no-wrap -msgid "" -"[domain/LDAP]\n" -"id_provider = ldap\n" -"auth_provider = ldap\n" -"access_provider = ldap\n" -"ldap_access_order = lockout\n" -"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" -"ldap_uri = ldap://ldap.mydomain.org\n" -"ldap_search_base = dc=mydomain,dc=org\n" -"ldap_tls_reqcert = demand\n" -"cache_credentials = true\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ldap.5.xml:2892 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 -#: sssd-ad.5.xml:1120 sssd.8.xml:257 sss_seed.8.xml:163 -msgid "NOTES" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ldap.5.xml:2894 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 msgid "" -"The descriptions of some of the configuration options in this manual page " -"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " -"distribution." +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: pam_sss.8.xml:11 pam_sss.8.xml:16 -msgid "pam_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: pam_sss.8.xml:17 -msgid "PAM module for SSSD" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: pam_sss.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 msgid "" -"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" -"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" -"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" -"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" -"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" -"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " -"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " -"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " -"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " -"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:64 -msgid "" -"<command>pam_sss.so</command> is the PAM interface to the System Security " -"Services daemon (SSSD). Errors and results are logged through " -"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:74 -msgid "<option>quiet</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:77 -msgid "Suppress log messages for unknown users." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:82 -msgid "<option>forward_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:85 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 msgid "" -"If <option>forward_pass</option> is set the entered password is put on the " -"stack for other PAM modules to use." +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:92 -msgid "<option>use_first_pass</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 msgid "" -"The argument use_first_pass forces the module to use a previous stacked " -"modules password and will never prompt the user - if no password is " -"available or the password is not appropriate, the user will be denied access." +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:103 -msgid "<option>use_authtok</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:106 -msgid "" -"When password changing enforce the module to set the new password to the one " -"provided by a previously stacked password module." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:113 -msgid "<option>retry=N</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:116 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 msgid "" -"If specified the user is asked another N times for a password if " -"authentication fails. Default is 0." +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:118 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 msgid "" -"Please note that this option might not work as expected if the application " -"calling PAM handles the user dialog on its own. A typical example is " -"<command>sshd</command> with <option>PasswordAuthentication</option>." +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:127 -msgid "<option>ignore_unknown_user</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:130 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 msgid "" -"If this option is specified and the user does not exist, the PAM module will " -"return PAM_IGNORE. This causes the PAM framework to ignore this module." +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:137 -msgid "<option>ignore_authinfo_unavail</option>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:141 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 msgid "" -"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " -"the SSSD daemon. This causes the PAM framework to ignore this module." +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:148 -msgid "<option>domains</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:152 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 msgid "" -"Allows the administrator to restrict the domains a particular PAM service is " -"allowed to authenticate against. The format is a comma-separated list of " -"SSSD domain names, as specified in the sssd.conf file." +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:158 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 msgid "" -"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " -"and <quote>pam_public_domains</quote> options. Please see the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for more information on these two PAM " -"responder options." +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:172 -msgid "<option>allow_missing_name</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:176 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 msgid "" -"The main purpose of this option is to let SSSD determine the user name based " -"on additional information, e.g. the certificate from a Smartcard." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: pam_sss.8.xml:186 -#, no-wrap -msgid "" -"auth sufficient pam_sss.so allow_missing_name\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1019 +msgid "dyndns_update (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:181 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 msgid "" -"The current use case are login managers which can monitor a Smartcard reader " -"for card events. In case a Smartcard is inserted the login manager will call " -"a PAM stack which includes a line like <placeholder type=\"programlisting\" " -"id=\"0\"/> In this case SSSD will try to determine the user name based on " -"the content of the Smartcard, returns it to pam_sss which will finally put " -"it on the PAM stack." +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:196 -msgid "<option>prompt_always</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1033 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:200 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 msgid "" -"Always prompt the user for credentials. With this option credentials " -"requested by other PAM modules, typically a password, will be ignored and " -"pam_sss will prompt for credentials again. Based on the pre-auth reply by " -"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " -"credentials." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:211 -msgid "<option>try_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1044 +msgid "dyndns_ttl (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:215 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1047 msgid "" -"Try to use certificate based authentication, i.e. authentication with a " -"Smartcard or similar devices. If a Smartcard is available and the service is " -"allowed for Smartcard authentication the user will be prompted for a PIN and " -"the certificate based authentication will continue" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:223 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 msgid "" -"If no Smartcard is available or certificate based authentication is not " -"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: pam_sss.8.xml:231 -msgid "<option>require_cert_auth</option>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:235 -msgid "" -"Do certificate based authentication, i.e. authentication with a Smartcard " -"or similar devices. If a Smartcard is not available the user will be " -"prompted to insert one. SSSD will wait for a Smartcard until the timeout " -"defined by p11_wait_for_card_timeout passed, please see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1058 +msgid "dyndns_iface (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: pam_sss.8.xml:245 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1061 msgid "" -"If no Smartcard is available after the timeout or certificate based " -"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " -"is returned." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:255 -msgid "MODULE TYPES PROVIDED" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:256 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 msgid "" -"All module types (<option>account</option>, <option>auth</option>, " -"<option>password</option> and <option>session</option>) are provided." +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:259 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 msgid "" -"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " -"not available, pam_sss will return PAM_USER_UNKNOWN when called as " -"<option>account</option> module to avoid issues with users from other " -"sources during access control." +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: pam_sss.8.xml:266 -msgid "FILES" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1072 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:267 -msgid "" -"If a password reset by root fails, because the corresponding SSSD provider " -"does not support password resets, an individual message can be displayed. " -"This message can e.g. contain instructions about how to reset a password." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1123 +msgid "dyndns_auth (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:272 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1126 msgid "" -"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" -"filename> where LOC stands for a locale string returned by <citerefentry> " -"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" -"citerefentry>. If there is no matching file the content of " -"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " -"the owner of the files and only root may have read and write permissions " -"while all other users must have only read permissions." +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: pam_sss.8.xml:282 -msgid "" -"These files are searched in the directory <filename>/etc/sssd/customize/" -"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " -"displayed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1132 +msgid "Default: GSS-TSIG" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 -msgid "sssd_krb5_locator_plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd_krb5_locator_plugin.8.xml:16 -msgid "Kerberos locator plugin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:22 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 msgid "" -"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " -"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " -"a plugin to guide all Kerberos clients on a system to a single KDC. In " -"general it should not matter to which KDC a client process is talking to. " -"But there are cases, e.g. after a password change, where not all KDCs are in " -"the same state because the new data has to be replicated first. To avoid " -"unexpected authentication failures and maybe even account lockings it would " -"be good to talk to a single KDC as long as possible." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:34 -msgid "" -"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " -"Kerberos plugin directory, see plugin_base_dir in <citerefentry> " -"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for details. The plugin can only be disabled by removing the " -"plugin file. There is no option in the Kerberos configuration to disable it. " -"But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " -"disable the plugin for individual commands. Alternatively the SSSD option " -"krb5_use_kdcinfo=False can be used to not generate the data needed by the " -"plugin. With this the plugin is still called but will provide no data to the " -"caller so that libkrb5 can fall back to other methods defined in krb5.conf." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:1078 +msgid "dyndns_refresh_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:50 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 msgid "" -"The plugin reads the information about the KDCs of a given realm from a file " -"called <filename>kdcinfo.REALM</filename>. The file should contain one or " -"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " -"hexadecimal IPv6 notation. An optional port number can be added to the end " -"separated with a colon, the IPv6 address has to be enclosed in squared " -"brackets in this case as usual. Valid entries are:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:58 -msgid "kdc.example.com" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:59 -msgid "kdc.example.com:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:1096 +msgid "dyndns_update_ptr (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:60 -msgid "1.2.3.4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:1099 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:61 -msgid "5.6.7.8:99" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:62 -msgid "2001:db8:85a3::8a2e:370:7334" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd_krb5_locator_plugin.8.xml:63 -msgid "[2001:db8:85a3::8a2e:370:7334]:321" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:1110 +msgid "dyndns_force_tcp (bool)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:65 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1113 msgid "" -"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " -"adds the address of the current KDC or domain controller SSSD is using to " -"this file." +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:70 -msgid "" -"In environments with read-only and read-write KDCs where clients are " -"expected to use the read-only instances for the general operations and only " -"the read-write KDC for config changes like password changes a " -"<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" -"write KDCs. If this file exists for the given realm the content will be used " -"by the plugin to reply to requests for a kpasswd or kadmin server or for the " -"MIT Kerberos specific master KDC. If the address contains a port number the " -"default KDC port 88 will be used for the latter." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1117 +msgid "Default: False (let nsupdate choose the protocol)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:85 -msgid "" -"Not all Kerberos implementations support the use of plugins. If " -"<command>sssd_krb5_locator_plugin</command> is not available on your system " -"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1138 +msgid "dyndns_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1141 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " -"debug messages will be sent to stderr." +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:95 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1146 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " -"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " -"caller." +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd_krb5_locator_plugin.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1151 msgid "" -"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " -"any value plugin will try to resolve all DNS names in kdcinfo file. By " -"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " -"first DNS resolving failure." +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 -msgid "sssd-simple" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1156 +msgid "Default: None (let nsupdate choose the server)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-simple.5.xml:17 -msgid "the configuration file for SSSD's 'simple' access-control provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1162 +msgid "dyndns_update_per_family (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:24 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1165 msgid "" -"This manual page describes the configuration of the simple access-control " -"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " -"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page." +"DNS update is by default performed in two steps - IPv4 update and then IPv6 " +"update. In some cases it might be desirable to perform IPv4 and IPv6 update " +"in single step." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:38 -msgid "" -"The simple access provider grants or denies access based on an access or " -"deny list of user or group names. The following rules apply:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:332 +msgid "ipa_deskprofile_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:43 -msgid "If all lists are empty, access is granted" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:47 -msgid "" -"If any list is provided, the order of evaluation is allow,deny. This means " -"that any matching deny rule will supersede any matched allow rule." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:54 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:335 msgid "" -"If either or both \"allow\" lists are provided, all users are denied unless " -"they appear in the list." +"Optional. Use the given string as search base for Desktop Profile related " +"objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-simple.5.xml:60 -msgid "" -"If only \"deny\" lists are provided, all users are granted access unless " -"they appear in the list." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 +msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:78 -msgid "simple_allow_users (string)" +#: sssd-ipa.5.xml:345 +msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:81 -msgid "Comma separated list of users who are allowed to log in." +#: sssd-ipa.5.xml:348 +msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:88 -msgid "simple_deny_users (string)" +#: sssd-ipa.5.xml:358 +msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:91 -msgid "Comma separated list of users who are explicitly denied access." +#: sssd-ipa.5.xml:361 +msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:97 -msgid "simple_allow_groups (string)" +#: sssd-ipa.5.xml:367 +msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:100 -msgid "" -"Comma separated list of groups that are allowed to log in. This applies only " -"to groups within this SSSD domain. Local groups are not evaluated." +#: sssd-ipa.5.xml:370 +msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-simple.5.xml:108 -msgid "simple_deny_groups (string)" +#: sssd-ipa.5.xml:386 +msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-simple.5.xml:111 -msgid "" -"Comma separated list of groups that are explicitly denied access. This " -"applies only to groups within this SSSD domain. Local groups are not " -"evaluated." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 -msgid "" -"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " -"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> manual page for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +#: sssd-ipa.5.xml:389 +msgid "Optional. Use the given string as search base for trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:120 -msgid "" -"Specifying no values for any of the lists is equivalent to skipping it " -"entirely. Beware of this while generating parameters for the simple provider " -"using automated scripts." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:398 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:125 -msgid "" -"Please note that it is an configuration error if both, simple_allow_users " -"and simple_deny_users, are defined." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:405 +msgid "ipa_master_domain_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:133 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the simple access provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:408 +msgid "Optional. Use the given string as search base for master domain object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-simple.5.xml:140 -#, no-wrap -msgid "" -"[domain/example.com]\n" -"access_provider = simple\n" -"simple_allow_users = user1, user2\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:417 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-simple.5.xml:150 -msgid "" -"The complete group membership hierarchy is resolved before the access check, " -"thus even nested groups can be included in the access lists. Please be " -"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " -"results and should be set to a sufficient value. (<citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" -"citerefentry>) option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:424 +msgid "ipa_views_search_base (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 -msgid "sss-certmap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:427 +msgid "Optional. Use the given string as search base for views containers." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss-certmap.5.xml:17 -msgid "SSSD Certificate Matching and Mapping Rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:436 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 msgid "" -"The manual page describes the rules which can be used by SSSD and other " -"components to match X.509 certificates and map them to accounts." +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss-certmap.5.xml:28 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 msgid "" -"Each rule has four components, a <quote>priority</quote>, a <quote>matching " -"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" -"quote>. All components are optional. A missing <quote>priority</quote> will " -"add the rule with the lowest priority. The default <quote>matching rule</" -"quote> will match certificates with the digitalSignature key usage and " -"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " -"the certificates will be searched in the userCertificate attribute as DER " -"encoded binary. If no domains are given only the local domain will be " -"searched." +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss-certmap.5.xml:41 -msgid "RULE COMPONENTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1180 +msgid "krb5_confd_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:43 -msgid "PRIORITY" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1183 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:45 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1187 msgid "" -"The rules are processed by priority while the number '0' (zero) indicates " -"the highest priority. The higher the number the lower is the priority. A " -"missing value indicates the lowest priority. The rules processing is stopped " -"when a matched rule is found and no further rules are checked." +"To disable the creation of the configuration snippets set the parameter to " +"'none'." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:52 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1191 msgid "" -"Internally the priority is treated as unsigned 32bit integer, using a " -"priority value larger than 4294967295 will cause an error." +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:57 -msgid "MATCHING RULE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:476 +msgid "ipa_deskprofile_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:59 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:479 msgid "" -"The matching rule is used to select a certificate to which the mapping rule " -"should be applied. It uses a system similar to the one used by " -"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " -"keyword enclosed by '<' and '>' which identified a certain part of the " -"certificate and a pattern which should be found for the rule to match. " -"Multiple keyword pattern pairs can be either joined with '&&' (and) " -"or '||' (or)." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:71 -msgid "<SUBJECT>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:522 +msgid "Default: 5 (seconds)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:74 -msgid "" -"With this a part or the whole subject name of the certificate can be " -"matched. For the matching POSIX Extended Regular Expression syntax is used, " -"see regex(7) for details." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:492 +msgid "ipa_deskprofile_request_interval (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:80 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:495 msgid "" -"For the matching the subject name stored in the certificate in DER encoded " -"ASN.1 is converted into a string according to RFC 4514. This means the most " -"specific name component comes first. Please note that not all possible " -"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " -"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " -"be shown differently on different platform and by different tools. To avoid " -"confusion those attribute names are best not used or covered by a suitable " -"regular-expression." +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:93 -msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:500 +msgid "Default: 60 (minutes)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:98 -msgid "<ISSUER>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:506 +msgid "ipa_hbac_refresh (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:101 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:509 msgid "" -"With this a part or the whole issuer name of the certificate can be matched. " -"All comments for <SUBJECT> apply her as well." +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:106 -msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:522 +msgid "ipa_hbac_selinux (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:111 -msgid "<KU>key-usage" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:114 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:525 msgid "" -"This option can be used to specify which key usage values the certificate " -"should have. The following values can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:118 -msgid "digitalSignature" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:119 -msgid "nonRepudiation" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:538 +msgid "ipa_server_mode (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:120 -msgid "keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:121 -msgid "dataEncipherment" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:546 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:122 -msgid "keyAgreement" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:551 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:123 -msgid "keyCertSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:556 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:124 -msgid "cRLSign" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:565 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:125 -msgid "encipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:580 +msgid "ipa_automount_location (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:126 -msgid "decipherOnly" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:583 +msgid "The automounter location this IPA client will be using" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:130 -msgid "" -"A numerical value in the range of a 32bit unsigned integer can be used as " -"well to cover special use cases." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:586 +msgid "Default: The location named \"default\"" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:134 -msgid "Example: <KU>digitalSignature,keyEncipherment" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:594 +msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:139 -msgid "<EKU>extended-key-usage" +#: sssd-ipa.5.xml:603 +msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:142 -msgid "" -"This option can be used to specify which extended key usage the certificate " -"should have. The following value can be used in a comma separated list:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:146 -msgid "serverAuth" +#: sssd-ipa.5.xml:606 +msgid "Objectclass of the view container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:147 -msgid "clientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:609 +msgid "Default: nsContainer" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:148 -msgid "codeSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:615 +msgid "ipa_view_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:149 -msgid "emailProtection" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:618 +msgid "Name of the attribute holding the name of the view." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:150 -msgid "timeStamping" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:622 sssd-ldap-attributes.5.xml:496 +#: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894 +#: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049 +msgid "Default: cn" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:151 -msgid "OCSPSigning" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:628 +msgid "ipa_override_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:152 -msgid "KPClientAuth" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:631 +msgid "Objectclass of the override objects." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:153 -msgid "pkinit" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:634 +msgid "Default: ipaOverrideAnchor" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sss-certmap.5.xml:154 -msgid "msScLogin" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:640 +msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:158 +#: sssd-ipa.5.xml:643 msgid "" -"Extended key usages which are not listed above can be specified with their " -"OID in dotted-decimal notation." +"Name of the attribute containing the reference to the original object in a " +"remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:162 -msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +#: sssd-ipa.5.xml:647 +msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:167 -msgid "<SAN>regular-expression" +#: sssd-ipa.5.xml:653 +msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:170 +#: sssd-ipa.5.xml:656 msgid "" -"To be compatible with the usage of MIT Kerberos this option will match the " -"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" -"Principal> does." +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:175 -msgid "Example: <SAN>.*@MY\\.REALM" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:180 -msgid "<SAN:Principal>regular-expression" +#: sssd-ipa.5.xml:661 +msgid "User overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:183 -msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:187 -msgid "Example: <SAN:Principal>.*@MY\\.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_uid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:192 -msgid "<SAN:ntPrincipalName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:670 +msgid "ldap_user_gid_number" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:195 -msgid "Match the Kerberos principals from the AD NT Principal SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:673 +msgid "ldap_user_gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:199 -msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:676 +msgid "ldap_user_home_directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:204 -msgid "<SAN:pkinit>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:679 +msgid "ldap_user_shell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:207 -msgid "Match the Kerberos principals from the PKINIT SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:682 +msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:210 -msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +#: sssd-ipa.5.xml:687 +msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:215 -msgid "<SAN:dotted-decimal-oid>regular-expression" +#: sssd-ipa.5.xml:693 +msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:218 +#: sssd-ipa.5.xml:696 msgid "" -"Take the value of the otherName SAN component given by the OID in dotted-" -"decimal notation, interpret it as string and try to match it against the " -"regular expression." +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:224 -msgid "Example: <SAN:1.2.3.4>test" +#: sssd-ipa.5.xml:701 +msgid "Group overrides can contain attributes given by" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:229 -msgid "<SAN:otherName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:704 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:707 +msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:232 -msgid "" -"Do a binary match with the base64 encoded blob against all otherName SAN " -"components. With this option it is possible to match against custom " -"otherName components with special encodings which could not be treated as " -"strings." +#: sssd-ipa.5.xml:712 +msgid "Default: ipaGroupOverride" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:239 -msgid "Example: <SAN:otherName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:596 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:244 -msgid "<SAN:rfc822Name>regular-expression" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:724 +msgid "SUBDOMAINS PROVIDER" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:247 -msgid "Match the value of the rfc822Name SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:726 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:250 -msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:730 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:255 -msgid "<SAN:dNSName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:736 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:258 -msgid "Match the value of the dNSName SAN." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:747 +msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:261 -msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:753 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:266 -msgid "<SAN:x400Address>base64-string" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:749 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:269 -msgid "Binary match the value of the x400Address SAN." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:758 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:272 -msgid "Example: <SAN:x400Address>MTIz" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:768 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:277 -msgid "<SAN:directoryName>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:773 +msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:280 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:775 msgid "" -"Match the value of the directoryName SAN. The same comments as given for <" -"ISSUER> and <SUBJECT> apply here as well." +"The following options can be set in a subdomain section on an IPA master:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:285 -msgid "Example: <SAN:directoryName>.*,DC=com" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 +msgid "ad_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:290 -msgid "<SAN:ediPartyName>base64-string" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:782 +msgid "ad_backup_server" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:293 -msgid "Binary match the value of the ediPartyName SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 +msgid "ad_site" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:296 -msgid "Example: <SAN:ediPartyName>MTIz" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:788 +msgid "ldap_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:301 -msgid "<SAN:uniformResourceIdentifier>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:791 +msgid "ldap_user_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:304 -msgid "Match the value of the uniformResourceIdentifier SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:794 +msgid "ldap_group_search_base" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:307 -msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:803 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:312 -msgid "<SAN:iPAddress>regular-expression" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:805 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:315 -msgid "Match the value of the iPAddress SAN." +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:817 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:318 -msgid "Example: <SAN:iPAddress>192\\.168\\..*" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:821 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:323 -msgid "<SAN:registeredID>regular-expression" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:845 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:326 -msgid "Match the value of the registeredID SAN as dotted-decimal string." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:852 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:330 -msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:68 -msgid "" -"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:338 -msgid "MAPPING RULE" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:340 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 msgid "" -"The mapping rule is used to associate a certificate with one or more " -"accounts. A Smartcard with the certificate and the matching private key can " -"then be used to authenticate as one of those accounts." +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:345 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 msgid "" -"Currently SSSD basically only supports LDAP to lookup user information (the " -"exception is the proxy provider which is not of relevance here). Because of " -"this the mapping rule is based on LDAP search filter syntax with templates " -"to add certificate content to the filter. It is expected that the filter " -"will only contain the specific data needed for the mapping and that the " -"caller will embed it in another filter to do the actual search. Because of " -"this the filter string should start and stop with '(' and ')' respectively." +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:355 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 msgid "" -"In general it is recommended to use attributes from the certificate and add " -"them to special attributes to the LDAP user object. E.g. the " -"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " -"for IPA can be used." +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:361 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 msgid "" -"This should be preferred to read user specific data from the certificate " -"like e.g. an email address and search for it in the LDAP server. The reason " -"is that the user specific data in LDAP might change for various reasons " -"would break the mapping. On the other hand it would be hard to break the " -"mapping on purpose for a specific user." +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:376 -msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:379 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 msgid "" -"This template will add the full issuer DN converted to a string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 msgid "" -"The conversion options starting with 'ad_' will use attribute names as used " -"by AD, e.g. 'S' instead of 'ST'." +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap msgid "" -"The conversion options starting with 'nss_' will use attribute names as used " -"by NSS." +"ldap_id_mapping = False\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 msgid "" -"The default conversion option is 'nss', i.e. attribute names according to " -"NSS and LDAP/RFC 4514 ordering." +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:397 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" -"ad})" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:402 -msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:405 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 msgid "" -"This template will add the full subject DN converted to string according to " -"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " -"the '_x500' prefix should be used." +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:423 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 msgid "" -"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" -"{subject_dn!nss_x500})" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:428 -msgid "{cert[!(bin|base64)]}" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:431 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 msgid "" -"This template will add the whole DER encoded certificate as a string to the " -"search filter. Depending on the conversion option the binary certificate is " -"either converted to an escaped hex sequence '\\xx' or base64. The escaped " -"hex sequence is the default and can e.g. be used with the LDAP attribute " -"'userCertificate;binary'." +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:439 -msgid "Example: (userCertificate;binary={cert!bin})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:444 -msgid "{subject_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:447 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap msgid "" -"This template will add the Kerberos principal which is taken either from the " -"SAN used by pkinit or the one used by AD. The 'short_name' component " -"represents the first part of the principal before the '@' sign." +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 msgid "" -"Example: (|(userPrincipal={subject_principal})" -"(samAccountName={subject_principal.short_name}))" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:458 -msgid "{subject_pkinit_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:461 -msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by pkinit. The 'short_name' component represents the first part of the " -"principal before the '@' sign." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:467 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 msgid "" -"Example: (|(userPrincipal={subject_pkinit_principal})" -"(uid={subject_pkinit_principal.short_name}))" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:472 -msgid "{subject_nt_principal[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:475 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 msgid "" -"This template will add the Kerberos principal which is given by the SAN used " -"by AD. The 'short_name' component represent the first part of the principal " -"before the '@' sign." +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:486 -msgid "{subject_rfc822_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:489 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 msgid "" -"This template will add the string which is stored in the rfc822Name " -"component of the SAN, typically an email address. The 'short_name' component " -"represents the first part of the address before the '@' sign." +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:495 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 msgid "" -"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." -"short_name}))" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:500 -msgid "{subject_dns_name[.short_name]}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:503 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 msgid "" -"This template will add the string which is stored in the dNSName component " -"of the SAN, typically a fully-qualified host name. The 'short_name' " -"component represents the first part of the name before the first '.' sign." +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:509 -msgid "" -"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:514 -msgid "{subject_uri}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:517 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 msgid "" -"This template will add the string which is stored in the " -"uniformResourceIdentifier component of the SAN." +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:521 -msgid "Example: (uri={subject_uri})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:526 -msgid "{subject_ip_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:529 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 msgid "" -"This template will add the string which is stored in the iPAddress component " -"of the SAN." +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:533 -msgid "Example: (ip={subject_ip_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:538 -msgid "{subject_x400_address}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:541 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 msgid "" -"This template will add the value which is stored in the x400Address " -"component of the SAN as escaped hex sequence." +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:546 -msgid "Example: (attr:binary={subject_x400_address})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 msgid "" -"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:554 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 msgid "" -"This template will add the DN string of the value which is stored in the " -"directoryName component of the SAN." +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:558 -msgid "Example: (orig_dn={subject_directory_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:563 -msgid "{subject_ediparty_name}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:566 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 msgid "" -"This template will add the value which is stored in the ediPartyName " -"component of the SAN as escaped hex sequence." +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to the host. For more " +"information on the supported policy settings please refer to the " +"<quote>ad_gpo_map</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:571 -msgid "Example: (attr:binary={subject_ediparty_name})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:367 +msgid "" +"Please note that current version of SSSD does not support Active Directory's " +"built-in groups. Built-in groups (such as Administrators with SID " +"S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " +"upstream issue tracker https://pagure.io/SSSD/sssd/issue/4099 ." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sss-certmap.5.xml:576 -msgid "{subject_registered_id}" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:376 +msgid "" +"Before performing access control SSSD applies group policy security " +"filtering on the GPOs. For every single user login, the applicability of the " +"GPOs that are linked to the host is checked. In order for a GPO to apply to " +"a user, the user or at least one of the groups to which it belongs must have " +"following permissions on the GPO:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:579 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:386 msgid "" -"This template will add the OID which is stored in the registeredID component " -"of the SAN as a dotted-decimal string." +"Read: The user or one of its groups must have read access to the properties " +"of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sss-certmap.5.xml:584 -msgid "Example: (oid={subject_registered_id})" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:393 +msgid "" +"Apply Group Policy: The user or at least one of its groups must be allowed " +"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:401 msgid "" -"The templates to add certificate data to the search filter are based on " -"Python-style formatting strings. They consist of a keyword in curly braces " -"with an optional sub-component specifier separated by a '.' or an optional " -"conversion/formatting option separated by a '!'. Allowed values are: " -"<placeholder type=\"variablelist\" id=\"0\"/>" +"By default, the Authenticated Users group is present on a GPO and this group " +"has both Read and Apply Group Policy access rights. Since authentication of " +"a user must have been completed successfully before GPO security filtering " +"and access control are started, the Authenticated Users group permissions on " +"the GPO always apply also to the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss-certmap.5.xml:592 -msgid "DOMAIN LIST" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:410 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss-certmap.5.xml:594 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:417 msgid "" -"If the domain list is not empty users mapped to a given certificate are not " -"only searched in the local domain but in the listed domains as well as long " -"as they are know by SSSD. Domains not know to SSSD will be ignored." +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing. For logging GPO-based access control debug level 'trace " +"functions' is required (see <citerefentry> <refentrytitle>sssctl</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 -msgid "sssd-ipa" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:436 +msgid "There are three supported values for this option:" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ipa.5.xml:17 -msgid "SSSD IPA provider" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:23 -msgid "" -"This manual page describes the configuration of the IPA provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:446 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:452 msgid "" -"The IPA provider is a back end used to connect to an IPA server. (Refer to " -"the freeipa.org web site for information about IPA servers.) This provider " -"requires that the machine be joined to the IPA domain; configuration is " -"almost entirely self-discovered and obtained directly from the server." +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:43 -msgid "" -"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for IPA environments. The IPA provider accepts the same " -"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " -"However, it is neither necessary nor recommended to set these options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:463 +msgid "Default: permissive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:57 -msgid "" -"The IPA provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:466 +msgid "Default: enforcing" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:62 -msgid "" -"As an access provider, the IPA provider uses HBAC (host-based access " -"control) rules. Please refer to freeipa.org for more information about " -"HBAC. No configuration of access provider is required on the client side." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:472 +msgid "ad_gpo_implicit_deny (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:475 msgid "" -"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" -"quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:73 -msgid "" -"The IPA provider will use the PAC responder if the Kerberos tickets of users " -"from trusted realms contain a PAC. To make configuration easier the PAC " -"responder is started automatically if the IPA ID provider is configured." +"Normally when no applicable GPOs are found the users are allowed access. " +"When this option is set to True users will be allowed access only when " +"explicitly allowed by a GPO rule. Otherwise users will be denied access. " +"This can be used to harden security but be careful when using this option " +"because it can deny access even to users in the built-in Administrators " +"group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:89 -msgid "ipa_domain (string)" +#: sssd-ad.5.xml:492 +msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:92 +#: sssd-ad.5.xml:495 msgid "" -"Specifies the name of the IPA domain. This is optional. If not provided, " -"the configuration domain name is used." +"Normally when some group policy containers (AD object) of applicable group " +"policy objects are not readable by SSSD then users are denied access. This " +"option allows to ignore group policy containers and with them associated " +"policies if their attributes in group policy containers are not readable for " +"SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:100 -msgid "ipa_server, ipa_backup_server (string)" +#: sssd-ad.5.xml:512 +msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:103 +#: sssd-ad.5.xml:515 msgid "" -"The comma-separated list of IP addresses or hostnames of the IPA servers to " -"which SSSD should connect in the order of preference. For more information " -"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:116 -msgid "ipa_hostname (string)" +#: sssd-ad.5.xml:528 +msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:119 +#: sssd-ad.5.xml:531 msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the IPA domain to identify this host. The " -"hostname must be fully qualified." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907 -msgid "dyndns_update (boolean)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " +"for which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny interactive logon setting for the user or one of its groups, the user " +"is denied local access. If none of the evaluated GPOs has an interactive " +"logon right defined, the user is granted local access. If at least one " +"evaluated GPO contains interactive logon right settings, the user is granted " +"local access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:131 +#: sssd-ad.5.xml:549 msgid "" -"Optional. This option tells SSSD to automatically update the DNS server " -"built into FreeIPA with the IP address of this client. The update is secured " -"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " -"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" -"quote> option." +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:563 +#, no-wrap msgid "" -"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " -"the default Kerberos realm must be set properly in /etc/krb5.conf" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:145 +#: sssd-ad.5.xml:554 msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" -"emphasis> option, users should migrate to using <emphasis>dyndns_update</" -"emphasis> in their config file." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932 -msgid "dyndns_ttl (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:586 +msgid "gdm-fingerprint" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935 -msgid "" -"The TTL to apply to the client DNS record when updating it. If " -"dyndns_update is false this has no effect. This will override the TTL " -"serverside if set by an administrator." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:606 +msgid "lightdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:165 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" -"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:611 +msgid "lxdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:171 -msgid "Default: 1200 (seconds)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:616 +msgid "sddm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946 -msgid "dyndns_iface (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:621 +msgid "unity" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949 -msgid "" -"Optional. Applicable only when dyndns_update is true. Choose the interface " -"or a list of interfaces whose IP addresses should be used for dynamic DNS " -"updates. Special value <quote>*</quote> implies that IPs from all interfaces " -"should be used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:626 +msgid "xdm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:187 -msgid "" -"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" -"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" -"emphasis> in their config file." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:635 +msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:193 +#: sssd-ad.5.xml:638 msgid "" -"Default: Use the IP addresses of the interface which is used for IPA LDAP " -"connection" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " +"evaluated for which the user has Read and Apply Group Policy permission (see " +"option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " +"the deny remote logon setting for the user or one of its groups, the user is " +"denied remote interactive access. If none of the evaluated GPOs has a " +"remote interactive logon right defined, the user is granted remote access. " +"If at least one evaluated GPO contains remote interactive logon right " +"settings, the user is granted remote access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960 -msgid "Example: dyndns_iface = em1, vnet1, vnet2" +#: sssd-ad.5.xml:657 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011 -msgid "dyndns_auth (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:672 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014 +#: sssd-ad.5.xml:663 msgid "" -"Whether the nsupdate utility should use GSS-TSIG authentication for secure " -"updates with the DNS server, insecure updates can be sent by setting this " -"option to 'none'." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020 -msgid "Default: GSS-TSIG" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:680 +msgid "sshd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:218 -msgid "ipa_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:685 +msgid "cockpit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 -msgid "Enables DNS sites - location based service discovery." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:694 +msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:225 +#: sssd-ad.5.xml:697 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, then the SSSD will first attempt location " -"based discovery using a query that contains \"_location.hostname.example.com" -"\" and then fall back to traditional SRV discovery. If the location based " -"discovery succeeds, the IPA servers located with the location based " -"discovery are treated as primary servers and the IPA servers located using " -"the traditional SRV discovery are used as back up servers" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966 -msgid "dyndns_refresh_interval (integer)" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny network logon setting for the user or one of its groups, the user is " +"denied network logon access. If none of the evaluated GPOs has a network " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains network logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:247 +#: sssd-ad.5.xml:715 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true." +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984 -msgid "dyndns_update_ptr (bool)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:730 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987 +#: sssd-ad.5.xml:721 msgid "" -"Whether the PTR record should also be explicitly updated when updating the " -"client's DNS records. Applicable only when dyndns_update is true." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:268 -msgid "" -"This option should be False in most IPA deployments as the IPA server " -"generates the PTR records automatically when forward records are changed." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:738 +msgid "ftp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:274 -msgid "Default: False (disabled)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:743 +msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998 -msgid "dyndns_force_tcp (bool)" +#: sssd-ad.5.xml:752 +msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001 +#: sssd-ad.5.xml:755 msgid "" -"Whether the nsupdate utility should default to using TCP for communicating " -"with the DNS server." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings. Only those GPOs are evaluated for which the user has Read " +"and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" +"quote>). If an evaluated GPO contains the deny batch logon setting for the " +"user or one of its groups, the user is denied batch logon access. If none " +"of the evaluated GPOs has a batch logon right defined, the user is granted " +"logon access. If at least one evaluated GPO contains batch logon right " +"settings, the user is granted logon access only, if it or at least one of " +"its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005 -msgid "Default: False (let nsupdate choose the protocol)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026 -msgid "dyndns_server (string)" +#: sssd-ad.5.xml:773 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:787 +#, no-wrap msgid "" -"The DNS server to use when performing a DNS update. In most setups, it's " -"recommended to leave this option unset." +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034 +#: sssd-ad.5.xml:778 msgid "" -"Setting this option makes sense for environments where the DNS server is " -"different from the identity server." +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039 +#: sssd-ad.5.xml:790 msgid "" -"Please note that this option will be only used in fallback attempt when " -"previous attempt using autodetected settings failed." +"Note: Cron service name may differ depending on Linux distribution used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044 -msgid "Default: None (let nsupdate choose the server)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:317 sssd-ad.5.xml:1050 -msgid "dyndns_update_per_family (boolean)" +#: sssd-ad.5.xml:805 +msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:320 sssd-ad.5.xml:1053 +#: sssd-ad.5.xml:808 msgid "" -"DNS update is by default performed in two steps - IPv4 update and then IPv6 " -"update. In some cases it might be desirable to perform IPv4 and IPv6 update " -"in single step." +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " +"which the user has Read and Apply Group Policy permission (see option " +"<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " +"deny service logon setting for the user or one of its groups, the user is " +"denied service logon access. If none of the evaluated GPOs has a service " +"logon right defined, the user is granted logon access. If at least one " +"evaluated GPO contains service logon right settings, the user is granted " +"logon access only, if it or at least one of its groups is part of the policy " +"settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:332 -msgid "ipa_deskprofile_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:826 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:839 +#, no-wrap msgid "" -"Optional. Use the given string as search base for Desktop Profile related " -"objects." +"ad_gpo_map_service = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:339 sssd-ipa.5.xml:352 -msgid "Default: Use base DN" +#: sssd-ad.5.xml:831 sssd-ad.5.xml:906 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:345 -msgid "ipa_hbac_search_base (string)" +#: sssd-ad.5.xml:849 +msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:348 -msgid "Optional. Use the given string as search base for HBAC related objects." +#: sssd-ad.5.xml:852 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:358 -msgid "ipa_host_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:866 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:361 -msgid "Deprecated. Use ldap_host_search_base instead." +#: sssd-ad.5.xml:857 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:367 -msgid "ipa_selinux_search_base (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:874 +msgid "polkit-1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:370 -msgid "Optional. Use the given string as search base for SELinux user maps." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:889 +msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:386 -msgid "ipa_subdomains_search_base (string)" +#: sssd-ad.5.xml:898 +msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:389 -msgid "Optional. Use the given string as search base for trusted domains." +#: sssd-ad.5.xml:901 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:398 -msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:914 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:405 -msgid "ipa_master_domain_search_base (string)" +#: sssd-ad.5.xml:924 +msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:408 -msgid "Optional. Use the given string as search base for master domain object." +#: sssd-ad.5.xml:927 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:417 -msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:424 -msgid "ipa_views_search_base (string)" +#: sssd-ad.5.xml:940 +msgid "Supported values for this option include:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:427 -msgid "Optional. Use the given string as search base for views containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:944 +msgid "interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:436 -msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:949 +msgid "remote_interactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:446 -msgid "" -"The name of the Kerberos realm. This is optional and defaults to the value " -"of <quote>ipa_domain</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:954 +msgid "network" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:450 -msgid "" -"The name of the Kerberos realm has a special meaning in IPA - it is " -"converted into the base DN to use for performing LDAP operations." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:959 +msgid "batch" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:458 sssd-ad.5.xml:1068 -msgid "krb5_confd_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:964 +msgid "service" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:461 sssd-ad.5.xml:1071 -msgid "" -"Absolute path of a directory where SSSD should place Kerberos configuration " -"snippets." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:969 +msgid "permit" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:465 sssd-ad.5.xml:1075 -msgid "" -"To disable the creation of the configuration snippets set the parameter to " -"'none'." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:974 +msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:469 sssd-ad.5.xml:1079 -msgid "" -"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +#: sssd-ad.5.xml:980 +msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:476 -msgid "ipa_deskprofile_refresh (integer)" +#: sssd-ad.5.xml:986 +msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:479 +#: sssd-ad.5.xml:989 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server. This will reduce the latency and load on the IPA server if there " -"are many desktop profiles requests made in a short period." +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:486 sssd-ipa.5.xml:516 sssd-ipa.5.xml:532 sssd-ad.5.xml:471 -msgid "Default: 5 (seconds)" +#: sssd-ad.5.xml:995 +msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:492 -msgid "ipa_deskprofile_request_interval (integer)" +#: sssd-ad.5.xml:1001 +msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:495 +#: sssd-ad.5.xml:1004 msgid "" -"The amount of time between lookups of the Desktop Profile rules against the " -"IPA server in case the last request did not return any rule." +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:500 -msgid "Default: 60 (minutes)" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:506 -msgid "ipa_hbac_refresh (integer)" +#: sssd-ad.5.xml:1013 +msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:509 +#: sssd-ad.5.xml:1022 msgid "" -"The amount of time between lookups of the HBAC rules against the IPA server. " -"This will reduce the latency and load on the IPA server if there are many " -"access-control requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:522 -msgid "ipa_hbac_selinux (integer)" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:525 -msgid "" -"The amount of time between lookups of the SELinux maps against the IPA " -"server. This will reduce the latency and load on the IPA server if there are " -"many user login requests made in a short period." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:538 -msgid "ipa_server_mode (boolean)" +#: sssd-ad.5.xml:1052 +msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:541 +#: sssd-ad.5.xml:1068 msgid "" -"This option will be set by the IPA installer (ipa-server-install) " -"automatically and denotes if SSSD is running on an IPA server or not." +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:546 +#: sssd-ad.5.xml:1081 msgid "" -"On an IPA server SSSD will lookup users and groups from trusted domains " -"directly while on a client it will ask an IPA server." +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:551 -msgid "" -"NOTE: There are currently some assumptions that must be met when SSSD is " -"running on an IPA server." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:1104 sss_rpcidmapd.5.xml:76 +msgid "Default: True" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:556 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1211 msgid "" -"The <quote>ipa_server</quote> option must be configured to point to the IPA " -"server itself. This is already the default set by the IPA installer, so no " -"manual change is required." +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:565 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1218 +#, no-wrap msgid "" -"The <quote>full_name_format</quote> option must not be tweaked to only print " -"short names for users from trusted domains." +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:580 -msgid "ipa_automount_location (string)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1238 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:583 -msgid "The automounter location this IPA client will be using" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1234 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1244 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1252 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:586 -msgid "Default: The location named \"default\"" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:594 -msgid "VIEWS AND OVERRIDES" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:603 -msgid "ipa_view_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:606 -msgid "Objectclass of the view container." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:609 -msgid "Default: nsContainer" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:615 -msgid "ipa_view_name (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:618 -msgid "Name of the attribute holding the name of the view." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:628 -msgid "ipa_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:631 -msgid "Objectclass of the override objects." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:634 -msgid "Default: ipaOverrideAnchor" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:640 -msgid "ipa_anchor_uuid (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:643 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 msgid "" -"Name of the attribute containing the reference to the original object in a " -"remote domain." +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:647 -msgid "Default: ipaAnchorUUID" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:653 -msgid "ipa_user_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:656 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 msgid "" -"Name of the objectclass for user overrides. It is used to determine if the " -"found override object is related to a user or a group." +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:661 -msgid "User overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:664 -msgid "ldap_user_name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:667 -msgid "ldap_user_uid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:670 -msgid "ldap_user_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:673 -msgid "ldap_user_gecos" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:676 -msgid "ldap_user_home_directory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:679 -msgid "ldap_user_shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:169 +msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:682 -msgid "ldap_user_ssh_public_key" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:173 +msgid "" +"Do not start the SSSD, but refresh the configuration database from the " +"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:687 -msgid "Default: ipaUserOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:181 +msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-ipa.5.xml:693 -msgid "ipa_group_override_object_class (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:185 +msgid "" +"Similar to <quote>--genconf</quote>, but only refresh a single section from " +"the configuration file. This option is useful mainly to be called from " +"systemd unit files to allow socket-activated responders to refresh their " +"configuration without requiring the administrator to restart the whole SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:696 -msgid "" -"Name of the objectclass for group overrides. It is used to determine if the " -"found override object is related to a user or a group." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:197 +msgid "<option>--version</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:701 -msgid "Group overrides can contain attributes given by" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:201 +msgid "Print version number and exit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:704 -msgid "ldap_group_name" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:209 +msgid "Signals" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:707 -msgid "ldap_group_gid_number" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:212 +msgid "SIGTERM/SIGINT" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-ipa.5.xml:712 -msgid "Default: ipaGroupOverride" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:215 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:596 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:221 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:224 msgid "" -"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " -"later version. Since all paths and objectclasses are fixed on the server " -"side there is basically no need to configure anything. For completeness the " -"related options are listed here with their default values. <placeholder " -"type=\"variablelist\" id=\"0\"/>" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:724 -msgid "SUBDOMAINS PROVIDER" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:232 +msgid "SIGUSR1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:726 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:235 msgid "" -"The IPA subdomains provider behaves slightly differently if it is configured " -"explicitly or implicitly." +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:730 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:244 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:247 msgid "" -"If the option 'subdomains_provider = ipa' is found in the domain section of " -"sssd.conf, the IPA subdomains provider is configured explicitly, and all " -"subdomain requests are sent to the IPA server if necessary." +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:736 +#: sssd.8.xml:259 msgid "" -"If the option 'subdomains_provider' is not set in the domain section of sssd." -"conf but there is the option 'id_provider = ipa', the IPA subdomains " -"provider is configured implicitly. In this case, if a subdomain request " -"fails and indicates that the server does not support subdomains, i.e. is not " -"configured for trusts, the IPA subdomains provider is disabled. After an " -"hour or after the IPA provider goes online, the subdomains provider is " -"enabled again." +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in-memory cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-ipa.5.xml:747 -msgid "TRUSTED DOMAINS CONFIGURATION" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:753 -#, no-wrap +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 msgid "" -"[domain/ipa.domain.com/ad.domain.com]\n" -"ad_server = dc.ad.domain.com\n" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:749 +#: sss_obfuscate.8.xml:32 msgid "" -"Some configuration options can be also set for a trusted domain. A trusted " -"domain configuration can either be done using a subsection, for example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:758 +#: sss_obfuscate.8.xml:37 msgid "" -"In addition, some options can be set in the parent domain and inherited by " -"the trusted domain using the <quote>subdomain_inherit</quote> option. For " -"more details, see the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:768 +#: sss_obfuscate.8.xml:49 msgid "" -"Different configuration options are tunable for a trusted domain depending " -"on whether you are configuring SSSD on an IPA server or an IPA client." +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:773 -msgid "OPTIONS TUNABLE ON IPA MASTERS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:775 -msgid "" -"The following options can be set in a subdomain section on an IPA master:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:779 sssd-ipa.5.xml:809 -msgid "ad_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:782 -msgid "ad_backup_server" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:785 sssd-ipa.5.xml:812 -msgid "ad_site" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:788 -msgid "ldap_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:791 -msgid "ldap_user_search_base" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sssd-ipa.5.xml:794 -msgid "ldap_group_search_base" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-ipa.5.xml:803 -msgid "OPTIONS TUNABLE ON IPA CLIENTS" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:805 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 msgid "" -"The following options can be set in a subdomain section on an IPA client:" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:817 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 msgid "" -"Note that if both options are set, only <quote>ad_server</quote> is " -"evaluated." +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-ipa.5.xml:821 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 msgid "" -"Since any request for a user or a group identity from a trusted domain " -"triggered from an IPA client is resolved by the IPA server, the " -"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " -"which AD DC will the authentication be performed against. In particular, the " -"addresses resolved from these lists will be written to <quote>kdcinfo</" -"quote> files read by the Kerberos locator plugin. Please refer to the " -"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " -"Kerberos locator plugin." +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ipa.5.xml:845 +#: sss_override.8.xml:52 msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This examples shows only the ipa provider-specific options." +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ipa.5.xml:852 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 msgid "" -"[domain/example.com]\n" -"id_provider = ipa\n" -"ipa_server = ipaserver.example.com\n" -"ipa_hostname = myhost.example.com\n" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 -msgid "sssd-ad" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ad.5.xml:17 -msgid "SSSD Active Directory provider" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 msgid "" -"This manual page describes the configuration of the AD provider for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:36 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 msgid "" -"The AD provider is a back end used to connect to an Active Directory server. " -"This provider requires that the machine be joined to the AD domain and a " -"keytab is available. Back end communication occurs over a GSSAPI-encrypted " -"channel, SSL/TLS options should not be used with the AD provider and will be " -"superseded by Kerberos usage." +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:44 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 msgid "" -"The AD provider supports connecting to Active Directory 2008 R2 or later. " -"Earlier versions may work, but are unsupported." +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:48 -msgid "" -"The AD provider can be used to get user information and authenticate users " -"from trusted domains. Currently only trusted domains in the same forest are " -"recognized. In addition servers from trusted domains are always auto-" -"discovered." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:54 -msgid "" -"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " -"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " -"optimizations for Active Directory environments. The AD provider accepts the " -"same options used by the sssd-ldap and sssd-krb5 providers with some " -"exceptions. However, it is neither necessary nor recommended to set these " -"options." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:69 -msgid "" -"The AD provider primarily copies the traditional ldap and krb5 provider " -"default options with some exceptions, the differences are listed in the " -"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:74 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 msgid "" -"The AD provider can also be used as an access, chpass, sudo and autofs " -"provider. No configuration of the access provider is required on the client " -"side." +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:79 -msgid "" -"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " -"configured in sssd.conf then the id_provider must also be set to <quote>ad</" -"quote>." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:91 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 msgid "" -"ldap_id_mapping = False\n" -" " +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:85 -msgid "" -"By default, the AD provider will map UID and GID values from the objectSID " -"parameter in Active Directory. For details on this, see the <quote>ID " -"MAPPING</quote> section below. If you want to disable ID mapping and instead " -"rely on POSIX attributes defined in Active Directory, you should set " -"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " -"be used, it is recommended for performance reasons that the attributes are " -"also replicated to the Global Catalog. If POSIX attributes are replicated, " -"SSSD will attempt to locate the domain of a requested numerical ID with the " -"help of the Global Catalog and only search that domain. In contrast, if " -"POSIX attributes are not replicated to the Global Catalog, SSSD must search " -"all the domains in the forest sequentially. Please note that the " -"<quote>cache_first</quote> option might be also helpful in speeding up " -"domainless searches. Note that if only a subset of POSIX attributes is " -"present in the Global Catalog, the non-replicated attributes are currently " -"not read from the LDAP port." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:108 -msgid "" -"Users, groups and other entities served by SSSD are always treated as case-" -"insensitive in the AD provider for compatibility with Active Directory's " -"LDAP implementation." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:123 -msgid "ad_domain (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:126 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 msgid "" -"Specifies the name of the Active Directory domain. This is optional. If not " -"provided, the configuration domain name is used." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:131 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 msgid "" -"For proper operation, this option should be specified as the lower-case " -"version of the long version of the Active Directory domain." +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:136 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 msgid "" -"The short domain name (also known as the NetBIOS or the flat name) is " -"autodetected by the SSSD." +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:143 -msgid "ad_enabled_domains (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:146 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 msgid "" -"A comma-separated list of enabled Active Directory domains. If provided, " -"SSSD will ignore any domains not listed in this option. If left unset, all " -"domains from the AD forest will be available." +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:156 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 msgid "" -"ad_enabled_domains = sales.example.com, eng.example.com\n" -" " +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:152 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 msgid "" -"For proper operation, this option must be specified in all lower-case and as " -"the fully qualified domain name of the Active Directory domain. For example: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:160 -msgid "" -"The short domain name (also known as the NetBIOS or the flat name) will be " -"autodetected by SSSD." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:170 -msgid "ad_server, ad_backup_server (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:173 -msgid "" -"The comma-separated list of hostnames of the AD servers to which SSSD should " -"connect in order of preference. For more information on failover and server " -"redundancy, see the <quote>FAILOVER</quote> section." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:180 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 msgid "" -"This is optional if autodiscovery is enabled. For more information on " -"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:185 -msgid "" -"Note: Trusted domains will always auto-discover servers even if the primary " -"server is explicitly defined in the ad_server option." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:193 -msgid "ad_hostname (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:196 -msgid "" -"Optional. May be set on machines where the hostname(5) does not reflect the " -"fully qualified name used in the Active Directory domain to identify this " -"host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:202 -msgid "" -"This field is used to determine the host principal in use in the keytab. It " -"must match the hostname for which the keytab was issued." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:210 -msgid "ad_enable_dns_sites (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:217 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 msgid "" -"If true and service discovery (see Service Discovery paragraph at the bottom " -"of the man page) is enabled, the SSSD will first attempt to discover the " -"Active Directory server to connect to using the Active Directory Site " -"Discovery and fall back to the DNS SRV records if no AD site is found. The " -"DNS SRV configuration, including the discovery domain, is used during site " -"discovery as well." +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:233 -msgid "ad_access_filter (string)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:236 -msgid "" -"This option specifies LDAP access control filter that the user must match in " -"order to be allowed access. Please note that the <quote>access_provider</" -"quote> option must be explicitly set to <quote>ad</quote> in order for this " -"option to have an effect." +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:244 -msgid "" -"The option also supports specifying different filters per domain or forest. " -"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " -"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " -"missing." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:252 -msgid "" -"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" -"quote> specifies the domain or subdomain the filter applies to. If the " -"keyword equals to <quote>FOREST</quote>, then the filter equals to all " -"domains from the forest specified by <quote>NAME</quote>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:260 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 msgid "" -"Multiple filters can be separated with the <quote>?</quote> character, " -"similarly to how search bases work." +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:265 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 msgid "" -"Nested group membership must be searched for using a special OID " -"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." -"example.org: syntax to ensure the parser does not attempt to interpret the " -"colon characters associated with the OID. If you do not use this OID then " -"nested group membership will not be resolved. See usage example below and " -"refer here for further information about the OID: <ulink url=\"https://msdn." -"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " -"extensions</ulink>" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 msgid "" -"The most specific match is always used. For example, if the option specified " -"filter for a domain the user is a member of and a global filter, the per-" -"domain filter would be applied. If there are more matches with the same " -"specification, the first one is used." +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-ad.5.xml:289 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 msgid "" -"# apply filter on domain called dom1 only:\n" -"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" -"\n" -"# apply filter on domain called dom2 only:\n" -"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" -"\n" -"# apply filter on forest called EXAMPLE.COM only:\n" -"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" -"\n" -"# apply filter for a member of a nested group in dom1:\n" -"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" -" " +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:308 -msgid "ad_site (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:311 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 msgid "" -"Specify AD site to which client should try to connect. If this option is " -"not provided, the AD site will be auto-discovered." +"Any text string describing the user. Often used as the field for the user's " +"full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:322 -msgid "ad_enable_gc (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:325 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 msgid "" -"By default, the SSSD connects to the Global Catalog first to retrieve users " -"from trusted domains and uses the LDAP port to retrieve group memberships or " -"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " -"port of the current AD server." +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:333 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 msgid "" -"Please note that disabling Global Catalog support does not disable " -"retrieving users from trusted domains. The SSSD would connect to the LDAP " -"port of trusted domains instead. However, Global Catalog must be used in " -"order to resolve cross-domain group memberships." +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:347 -msgid "ad_gpo_access_control (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:350 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 msgid "" -"This option specifies the operation mode for GPO-based access control " -"functionality: whether it operates in disabled mode, enforcing mode, or " -"permissive mode. Please note that the <quote>access_provider</quote> option " -"must be explicitly set to <quote>ad</quote> in order for this option to have " -"an effect." +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:359 -msgid "" -"GPO-based access control functionality uses GPO policy settings to determine " -"whether or not a particular user is allowed to logon to a particular host." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:365 -msgid "" -"NOTE: The current version of SSSD does not support host (computer) entries " -"in the GPO 'Security Filtering' list. Only user and group entries are " -"supported. Host entries in the list have no effect." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 msgid "" -"NOTE: If the operation mode is set to enforcing, it is possible that users " -"that were previously allowed logon access will now be denied logon access " -"(as dictated by the GPO policy settings). In order to facilitate a smooth " -"transition for administrators, a permissive mode is available that will not " -"enforce the access control rules, but will evaluate them and will output a " -"syslog message if access would have been denied. By examining the logs, " -"administrators can then make the necessary changes before setting the mode " -"to enforcing." +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:385 -msgid "There are three supported values for this option:" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:389 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 msgid "" -"disabled: GPO-based access control rules are neither evaluated nor enforced." +"Do not create the user's home directory. Overrides configuration settings." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:395 -msgid "enforcing: GPO-based access control rules are evaluated and enforced." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 msgid "" -"permissive: GPO-based access control rules are evaluated, but not enforced. " -"Instead, a syslog message will be emitted indicating that the user would " -"have been denied access if this option's value were set to enforcing." +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:412 -msgid "Default: permissive" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:415 -msgid "Default: enforcing" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:421 -msgid "ad_gpo_implicit_deny (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 msgid "" -"Normally when no applicable GPOs are found the users are allowed access. " -"When this option is set to True users will be allowed access only when " -"explicitly allowed by a GPO rule. Otherwise users will be denied access. " -"This can be used to harden security but be careful when using this option " -"because it can deny access even to users in the built-in Administrators " -"group if no GPO rules apply to them." +"The SELinux user for the user's login. If not specified, the system default " +"will be used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:441 -msgid "ad_gpo_ignore_unreadable (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:444 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 msgid "" -"Normally when some group policy containers (AD object) of applicable group " -"policy objects are not readable by SSSD then users are denied access. This " -"option allows to ignore group policy containers and with them associated " -"policies if their attributes in group policy containers are not readable for " -"SSSD." +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:461 -msgid "ad_gpo_cache_timeout (integer)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:464 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 msgid "" -"The amount of time between lookups of GPO policy files against the AD " -"server. This will reduce the latency and load on the AD server if there are " -"many access-control requests made in a short period." +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:477 -msgid "ad_gpo_map_interactive (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:480 +#: sssd-krb5.5.xml:77 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the InteractiveLogonRight and " -"DenyInteractiveLogonRight policy settings." +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:486 +#: sssd-krb5.5.xml:106 msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on locally\" and \"Deny log on locally\"." +"The name of the Kerberos realm. This option is required and must be " +"specified." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:500 -#, no-wrap -msgid "" -"ad_gpo_map_interactive = +my_pam_service, -login\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:491 +#: sssd-krb5.5.xml:116 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>login</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:523 -msgid "gdm-fingerprint" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:543 -msgid "lightdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:548 -msgid "lxdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:553 -msgid "sddm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:558 -msgid "unity" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:563 -msgid "xdm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:572 -msgid "ad_gpo_map_remote_interactive (string)" +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:575 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the RemoteInteractiveLogonRight and " -"DenyRemoteInteractiveLogonRight policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:581 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on through Remote Desktop Services\" and \"Deny log on through Remote " -"Desktop Services\"." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:596 -#, no-wrap -msgid "" -"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" -" " +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:587 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>sshd</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:604 -msgid "sshd" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:609 -msgid "cockpit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:618 -msgid "ad_gpo_map_network (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:621 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the NetworkLogonRight and " -"DenyNetworkLogonRight policy settings." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:627 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Access " -"this computer from the network\" and \"Deny access to this computer from the " -"network\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:642 -#, no-wrap -msgid "" -"ad_gpo_map_network = +my_pam_service, -ftp\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:633 -msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>ftp</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:650 -msgid "ftp" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:655 -msgid "samba" +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:664 -msgid "ad_gpo_map_batch (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:667 -msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " -"policy settings." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:673 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a batch job\" and \"Deny log on as a batch job\"." +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:687 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 msgid "" -"ad_gpo_map_batch = +my_pam_service, -crond\n" -" " +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:678 +#: sssd-krb5.5.xml:208 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for this logon right (e.g. " -"<quote>crond</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:690 +#: sssd-krb5.5.xml:216 msgid "" -"Note: Cron service name may differ depending on Linux distribution used." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:696 -msgid "crond" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:705 -msgid "ad_gpo_map_service (string)" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:708 +#: sssd-krb5.5.xml:225 msgid "" -"A comma-separated list of PAM service names for which GPO-based access " -"control is evaluated based on the ServiceLogonRight and " -"DenyServiceLogonRight policy settings." +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:714 -msgid "" -"Note: Using the Group Policy Management Editor this value is called \"Allow " -"log on as a service\" and \"Deny log on as a service\"." +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:727 -#, no-wrap -msgid "" -"ad_gpo_map_service = +my_pam_service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:719 sssd-ad.5.xml:794 +#: sssd-krb5.5.xml:243 msgid "" -"It is possible to add a PAM service name to the default set by using <quote>" -"+service_name</quote>. Since the default set is empty, it is not possible " -"to remove a PAM service name from the default set. For example, in order to " -"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " -"would use the following configuration: <placeholder type=\"programlisting\" " -"id=\"0\"/>" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:737 -msgid "ad_gpo_map_permit (string)" +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:740 +#: sssd-krb5.5.xml:257 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always granted, regardless of any GPO Logon Rights." +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:754 -#, no-wrap -msgid "" -"ad_gpo_map_permit = +my_pam_service, -sudo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:745 +#: sssd-krb5.5.xml:275 msgid "" -"It is possible to add another PAM service name to the default set by using " -"<quote>+service_name</quote> or to explicitly remove a PAM service name from " -"the default set by using <quote>-service_name</quote>. For example, in " -"order to replace a default PAM service name for unconditionally permitted " -"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " -"<quote>my_pam_service</quote>), you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:762 -msgid "polkit-1" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:777 -msgid "systemd-user" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:786 -msgid "ad_gpo_map_deny (string)" +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:789 +#: sssd-krb5.5.xml:288 msgid "" -"A comma-separated list of PAM service names for which GPO-based access is " -"always denied, regardless of any GPO Logon Rights." +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ad.5.xml:802 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 msgid "" -"ad_gpo_map_deny = +my_pam_service\n" -" " +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:812 -msgid "ad_gpo_default_right (string)" +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:815 +#: sssd-krb5.5.xml:309 msgid "" -"This option defines how access control is evaluated for PAM service names " -"that are not explicitly listed in one of the ad_gpo_map_* options. This " -"option can be set in two different manners. First, this option can be set to " -"use a default logon right. For example, if this option is set to " -"'interactive', it means that unmapped PAM service names will be processed " -"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " -"settings. Alternatively, this option can be set to either always permit or " -"always deny access for unmapped PAM service names." +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:828 -msgid "Supported values for this option include:" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:832 -msgid "interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:837 -msgid "remote_interactive" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:842 -msgid "network" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:847 -msgid "batch" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:852 -msgid "service" +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:857 -msgid "permit" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> -#: sssd-ad.5.xml:862 -msgid "deny" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:868 -msgid "Default: deny" +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:874 -msgid "ad_maximum_machine_account_password_age (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:877 +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 msgid "" -"SSSD will check once a day if the machine account password is older than the " -"given age in days and try to renew it. A value of 0 will disable the renewal " -"attempt." +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:883 -msgid "Default: 30 days" +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-ad.5.xml:889 -msgid "ad_machine_account_password_renewal_opts (string)" +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:892 +#: sssd-krb5.5.xml:344 msgid "" -"This option should only be used to test the machine account renewal task. " -"The option expects 2 integers separated by a colon (':'). The first integer " -"defines the interval in seconds how often the task is run. The second " -"specifies the initial timeout in seconds before the task is run for the " -"first time after startup." +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:901 -msgid "Default: 86400:750 (24h and 15m)" +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:910 +#: sssd-krb5.5.xml:364 msgid "" -"Optional. This option tells SSSD to automatically update the Active " -"Directory DNS server with the IP address of this client. The update is " -"secured using GSS-TSIG. As a consequence, the Active Directory administrator " -"only needs to allow secure updates for the DNS zone. The IP address of the " -"AD LDAP connection is used for the updates, if it is not otherwise specified " -"by using the <quote>dyndns_iface</quote> option." +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:940 -msgid "Default: 3600 (seconds)" +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:956 -msgid "" -"Default: Use the IP addresses of the interface which is used for AD LDAP " -"connection" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:969 +#: sssd-krb5.5.xml:379 msgid "" -"How often should the back end perform periodic DNS update in addition to the " -"automatic update performed when the back end goes online. This option is " -"optional and applicable only when dyndns_update is true. Note that the " -"lowest possible value is 60 seconds in-case if value is provided less than " -"60, parameter will assume lowest value only." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76 -msgid "Default: True" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1099 -msgid "" -"The following example assumes that SSSD is correctly configured and example." -"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " -"This example shows only the AD provider-specific options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1106 -#, no-wrap -msgid "" -"[domain/EXAMPLE]\n" -"id_provider = ad\n" -"auth_provider = ad\n" -"access_provider = ad\n" -"chpass_provider = ad\n" -"\n" -"ad_server = dc1.example.com\n" -"ad_hostname = client.example.com\n" -"ad_domain = example.com\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-ad.5.xml:1126 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 msgid "" -"access_provider = ldap\n" -"ldap_access_order = expire\n" -"ldap_account_expire_policy = ad\n" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1122 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 msgid "" -"The AD access control provider checks if the account is expired. It has the " -"same effect as the following configuration of the LDAP provider: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1132 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 msgid "" -"However, unless the <quote>ad</quote> access control provider is explicitly " -"configured, the default access provider is <quote>permit</quote>. Please " -"note that if you configure an access provider other than <quote>ad</quote>, " -"you need to set all the connection parameters (such as LDAP URIs and " -"encryption details) manually." +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ad.5.xml:1140 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 msgid "" -"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " -"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " -"are included in the default Active Directory schema." +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 -msgid "sssd-sudo" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-sudo.5.xml:17 -msgid "Configuring sudo with the SSSD back end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:23 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:36 -msgid "Configuring sudo to cooperate with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:38 -msgid "" -"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " -"the <emphasis>sudoers</emphasis> entry in <citerefentry> " -"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:47 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 msgid "" -"For example, to configure sudo to first lookup rules in the standard " -"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> file (which should contain rules that apply to " -"local users) and then in SSSD, the nsswitch.conf file should contain the " -"following line:" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:57 -#, no-wrap -msgid "sudoers: files sss\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_kdcinfo_lookahead (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 msgid "" -"More information about configuring the sudoers search order from the " -"nsswitch.conf file as well as information about the LDAP schema that is used " -"to store sudo rules in the directory can be found in <citerefentry> " -"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry>." +"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " +"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " +"helpful when there are too many servers discovered using SRV record." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:70 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:518 msgid "" -"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " -"sudo rules, you also need to correctly set <citerefentry> " -"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry> to your NIS domain name (which equals to IPA domain name when " -"using hostgroups)." +"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " +"The first number represents number of primary servers used and the second " +"number specifies the number of backup servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:82 -msgid "Configuring SSSD to fetch sudo rules" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:524 +msgid "" +"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " +"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " +"servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:84 -msgid "" -"All configuration that is needed on SSSD side is to extend the list of " -"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " -"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " -"option." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:533 +msgid "Default: 3:1" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:94 -msgid "" -"The following example shows how to configure SSSD to download sudo rules " -"from an LDAP server." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:539 +msgid "krb5_use_enterprise_principal (boolean)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-sudo.5.xml:99 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:542 msgid "" -"[sssd]\n" -"config_file_version = 2\n" -"services = nss, pam, sudo\n" -"domains = EXAMPLE\n" -"\n" -"[domain/EXAMPLE]\n" -"id_provider = ldap\n" -"sudo_provider = ldap\n" -"ldap_uri = ldap://example.com\n" -"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:98 -msgid "" -"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" -"\"have_systemd\"> It's important to note that on platforms where systemd is " -"supported there's no need to add the \"sudo\" provider to the list of " -"services, as it became optional. However, sssd-sudo.socket must be enabled " -"instead. </phrase>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:548 +msgid "Default: false (AD provider: true)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:118 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:551 msgid "" -"When SSSD is configured to use IPA as the ID provider, the sudo provider is " -"automatically enabled. The sudo search base is configured to use the IPA " -"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " -"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," -"$SUFFIX) is no longer required for IPA sudo functionality." +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-sudo.5.xml:128 -msgid "The SUDO rule caching mechanism" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:560 +msgid "krb5_map_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:130 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:563 msgid "" -"The biggest challenge, when developing sudo support in SSSD, was to ensure " -"that running sudo with SSSD as the data source provides the same user " -"experience and is as fast as sudo but keeps providing the most current set " -"of rules as possible. To satisfy these requirements, SSSD uses three kinds " -"of updates. They are referred to as full refresh, smart refresh and rules " -"refresh." +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:575 +#, no-wrap msgid "" -"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " -"new or were modified after the last update. Its primary goal is to keep the " -"database growing by fetching only small increments that do not generate " -"large amounts of network traffic." +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:144 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:580 msgid "" -"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " -"in the cache and replaces them with all rules that are stored on the server. " -"This is used to keep the cache consistent by removing every rule which was " -"deleted from the server. However, full refresh may produce a lot of traffic " -"and thus it should be run only occasionally depending on the size and " -"stability of the sudo rules." +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:152 +#: sssd-krb5.5.xml:65 msgid "" -"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " -"more permission than defined. It is triggered each time the user runs sudo. " -"Rules refresh will find all rules that apply to this user, check their " -"expiration time and redownload them if expired. In the case that any of " -"these rules are missing on the server, the SSSD will do an out of band full " -"refresh because more rules (that apply to other users) may have been deleted." +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:161 +#: sssd-krb5.5.xml:606 msgid "" -"If enabled, SSSD will store only rules that can be applied to this machine. " -"This means rules that contain one of the following values in " -"<emphasis>sudoHost</emphasis> attribute:" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:168 -msgid "keyword ALL" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:614 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:173 -msgid "wildcard" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:178 -msgid "netgroup (in the form \"+netgroup\")" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:183 -msgid "hostname or fully qualified domain name of this machine" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:188 -msgid "one of the IP addresses of this machine" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> -#: sssd-sudo.5.xml:193 -msgid "one of the IP addresses of the network (in the form \"address/mask\")" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-sudo.5.xml:199 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 msgid "" -"There are many configuration options that can be used to adjust the " -"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd.8.xml:10 sssd.8.xml:15 -msgid "sssd" +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd.8.xml:16 -msgid "System Security Services Daemon" +#: sss_userdel.8.xml:16 +msgid "delete a user account" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssd.8.xml:21 +#: sss_userdel.8.xml:21 msgid "" -"<command>sssd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:31 +#: sss_userdel.8.xml:32 msgid "" -"<command>SSSD</command> provides a set of daemons to manage access to remote " -"directories and authentication mechanisms. It provides an NSS and PAM " -"interface toward the system and a pluggable backend system to connect to " -"multiple different account sources as well as D-Bus interface. It is also " -"the basis to provide client auditing and policy services for projects like " -"FreeIPA. It provides a more robust database to store local users as well as " -"extended user data." +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:46 -msgid "" -"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" -"replaceable>" +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:53 -msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:57 -msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:60 -msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:69 -msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:73 +#: sss_userdel.8.xml:72 msgid "" -"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:76 -msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:85 -msgid "<option>-f</option>,<option>--debug-to-files</option>" +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:89 -msgid "" -"Send the debug output to files instead of stderr. By default, the log files " -"are stored in <filename>/var/log/sssd</filename> and there are separate log " -"files for every SSSD service and domain." +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:94 -msgid "" -"This option is deprecated. It is replaced by <option>--logger=files</option>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:101 -msgid "<option>--logger=</option><replaceable>value</replaceable>" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:105 +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 msgid "" -"Location where SSSD will send log messages. This option overrides the value " -"of the deprecated option <option>--debug-to-files</option>. The deprecated " -"option will still work if the <option>--logger</option> is not used." +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:112 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 msgid "" -"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " -"output." +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:116 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 msgid "" -"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " -"default, the log files are stored in <filename>/var/log/sssd</filename> and " -"there are separate log files for every SSSD service and domain." +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 msgid "" -"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:132 -msgid "<option>-D</option>,<option>--daemon</option>" +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:136 -msgid "Become a daemon after starting up." +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:142 sss_seed.8.xml:136 -msgid "<option>-i</option>,<option>--interactive</option>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:146 -msgid "Run in the foreground, don't become a daemon." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:152 -msgid "<option>-c</option>,<option>--config</option>" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:156 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 msgid "" -"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." -"conf</filename>. For reference on the config file syntax and options, " -"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:169 -msgid "<option>-g</option>,<option>--genconf</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:173 -msgid "" -"Do not start the SSSD, but refresh the configuration database from the " -"contents of <filename>/etc/sssd/sssd.conf</filename> and exit." +#: sss_usermod.8.xml:71 +msgid "The user's login shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:181 -msgid "<option>-s</option>,<option>--genconf-section</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:185 +#: sss_usermod.8.xml:96 msgid "" -"Similar to <quote>--genconf</quote>, but only refresh a single section from " -"the configuration file. This option is useful mainly to be called from " -"systemd unit files to allow socket-activated responders to refresh their " -"configuration without requiring the administrator to restart the whole SSSD." +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:197 -msgid "<option>--version</option>" +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:201 -msgid "Print version number and exit." +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd.8.xml:209 -msgid "Signals" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:212 -msgid "SIGTERM/SIGINT" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:215 -msgid "" -"Informs the SSSD to gracefully terminate all of its child processes and then " -"shut down the monitor." +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:221 -msgid "SIGHUP" +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:224 -msgid "" -"Tells the SSSD to stop writing to its current debug file descriptors and to " -"close and reopen them. This is meant to facilitate log rolling with programs " -"like logrotate." +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:232 -msgid "SIGUSR1" +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:235 +#: sss_usermod.8.xml:152 msgid "" -"Tells the SSSD to simulate offline operation for the duration of the " -"<quote>offline_timeout</quote> parameter. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd.8.xml:244 -msgid "SIGUSR2" +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd.8.xml:247 -msgid "" -"Tells the SSSD to go online immediately. This is useful for testing. The " -"signal can be sent to either the sssd process or any sssd_be process " -"directly." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd.8.xml:259 -msgid "" -"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " -"applications will not use the fast in memory cache." +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 -msgid "sss_obfuscate" +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_obfuscate.8.xml:16 -msgid "obfuscate a clear text password" +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_obfuscate.8.xml:21 +#: sss_cache.8.xml:21 msgid "" -"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" -"replaceable></arg>" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:32 +#: sss_cache.8.xml:31 msgid "" -"<command>sss_obfuscate</command> converts a given password into human-" -"unreadable format and places it into appropriate domain section of the SSSD " -"config file." +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:37 -msgid "" -"The cleartext password is read from standard input or entered " -"interactively. The obfuscated password is put into " -"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " -"<quote>ldap_default_authtok_type</quote> parameter is set to " -"<quote>obfuscated_password</quote>. Refer to <citerefentry> " -"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> for more details on these parameters." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_obfuscate.8.xml:49 -msgid "" -"Please note that obfuscating the password provides <emphasis>no real " -"security benefit</emphasis> as it is still possible for an attacker to " -"reverse-engineer the password back. Using better authentication mechanisms " -"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " -"advised." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:63 -msgid "<option>-s</option>,<option>--stdin</option>" +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:67 -msgid "The password to obfuscate will be read from standard input." +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 -#: sss_ssh_knownhostsproxy.1.xml:78 -msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:79 +#: sss_cache.8.xml:68 msgid "" -"The SSSD domain to use the password in. The default name is <quote>default</" -"quote>." +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_obfuscate.8.xml:86 +#: sss_cache.8.xml:75 msgid "" -"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:91 -msgid "Read the config file specified by the positional parameter." +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_obfuscate.8.xml:95 -msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_override.8.xml:10 sss_override.8.xml:15 -msgid "sss_override" +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_override.8.xml:16 -msgid "create local overrides of user and group attributes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_override.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 msgid "" -"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 msgid "" -"<command>sss_override</command> enables to create a client-side view and " -"allows to change selected values of specific user and groups. This change " -"takes effect only on local machine." +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:37 -msgid "" -"Overrides data are stored in the SSSD cache. If the cache is deleted, all " -"local overrides are lost. Please note that after the first override is " -"created using any of the following <emphasis>user-add</emphasis>, " -"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " -"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " -"take effect. <emphasis>sss_override</emphasis> prints message when a " -"restart is required." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:50 sssctl.8.xml:41 -msgid "AVAILABLE COMMANDS" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:52 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 msgid "" -"Argument <emphasis>NAME</emphasis> is the name of original object in all " -"commands. It is not possible to override <emphasis>uid</emphasis> or " -"<emphasis>gid</emphasis> to 0." +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:59 +#: sss_cache.8.xml:119 msgid "" -"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" -"optional> <optional><option>-g,--gid</option> GID</optional> " -"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" -"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" -"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " -"CERTIFICATE</optional>" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:72 -msgid "" -"Override attributes of an user. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) user." +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:80 -msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:85 +#: sss_cache.8.xml:134 msgid "" -"Remove user overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:94 +#: sss_cache.8.xml:141 msgid "" -"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:99 -msgid "" -"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " -"is set, only users from the domain are listed." +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:107 -msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:112 -msgid "Show user overrides." +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:118 -msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:123 -msgid "" -"Import user overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard passwd file. The format is:" +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:128 -msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:131 +#: sss_cache.8.xml:178 msgid "" -"where original_name is original name of the user whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:140 -msgid "ckent:superman::::::" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:143 -msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:149 -msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:154 +#: sss_cache.8.xml:201 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>user-import</emphasis> for data format." +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:162 +#: sss_cache.8.xml:209 msgid "" -"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" -"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" -"optional>" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:169 -msgid "" -"Override attributes of a group. Please be aware that calling this command " -"will replace any previous override for the (NAMEd) group." +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:177 -msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:182 +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 msgid "" -"Remove group overrides. However be aware that overridden attributes might be " -"returned from memory cache. Please see SSSD option " -"<emphasis>memcache_timeout</emphasis> for more details." +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:191 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 msgid "" -"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" -"optional>" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:196 +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 msgid "" -"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " -"parameter is set, only groups from the domain are listed." +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:204 -msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:209 -msgid "Show group overrides." +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:215 -msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:220 +#: sss_seed.8.xml:68 msgid "" -"Import group overrides from <emphasis>FILE</emphasis>. Data format is " -"similar to standard group file. The format is:" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:225 -msgid "original_name:name:gid" +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:228 +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 msgid "" -"where original_name is original name of the group whose attributes should be " -"overridden. The rest of fields correspond to new values. You can omit a " -"value simply by leaving corresponding field empty." +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:237 -msgid "admins:administrators:" +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:240 -msgid "Domain Users:Users:501" +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:246 -msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_override.8.xml:251 +#: sss_seed.8.xml:153 msgid "" -"Export all overridden attributes and store them in <emphasis>FILE</" -"emphasis>. See <emphasis>group-import</emphasis> for data format." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_override.8.xml:261 sssctl.8.xml:50 -msgid "COMMON OPTIONS" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_override.8.xml:263 sssctl.8.xml:52 -msgid "Those options are available with all commands." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_override.8.xml:268 sssctl.8.xml:57 -msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 -msgid "sss_useradd" +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_useradd.8.xml:16 -msgid "create a new user" +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_useradd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 msgid "" -"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_useradd.8.xml:32 +#: sssd-ifp.5.xml:36 msgid "" -"<command>sss_useradd</command> creates a new user account using the values " -"specified on the command line plus the default values from the system." +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:43 sss_seed.8.xml:76 -msgid "" -"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:48 +#: sssd-ifp.5.xml:53 msgid "" -"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " -"not given, it is chosen automatically." +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 msgid "" -"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" -"replaceable>" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +#: sssd-ifp.5.xml:63 msgid "" -"Any text string describing the user. Often used as the field for the user's " -"full name." +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 -msgid "" -"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:72 -msgid "" -"The home directory of the user account. The default is to append the " -"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " -"that as the home directory. The base that is prepended before " -"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" -"baseDirectory</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 -msgid "" -"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:87 -msgid "" -"The user's login shell. The default is currently <filename>/bin/bash</" -"filename>. The default can be changed with <quote>user_defaults/" -"defaultShell</quote> setting in sssd.conf." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:96 -msgid "" -"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" -"replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:101 -msgid "A list of existing groups this user is also a member of." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:107 -msgid "<option>-m</option>,<option>--create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:111 -msgid "" -"Create the user's home directory if it does not exist. The files and " -"directories contained in the skeleton directory (which can be defined with " -"the -k option or in the config file) will be copied to the home directory." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:121 -msgid "<option>-M</option>,<option>--no-create-home</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:125 +#: sssd-ifp.5.xml:81 msgid "" -"Do not create the user's home directory. Overrides configuration settings." +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:132 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap msgid "" -"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" -"replaceable>" +"user_attributes = +telephoneNumber, -loginShell\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:137 +#: sssd-ifp.5.xml:117 msgid "" -"The skeleton directory, which contains files and directories to be copied in " -"the user's home directory, when the home directory is created by " -"<command>sss_useradd</command>." +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:143 -msgid "" -"Special files (block devices, character devices, named pipes and unix " -"sockets) will not be copied." +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:147 +#: sssd-ifp.5.xml:139 msgid "" -"This option is only valid if the <option>-m</option> (or <option>--create-" -"home</option>) option is specified, or creation of home directories is set " -"to TRUE in the configuration." +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 -msgid "" -"<option>-Z</option>,<option>--selinux-user</option> " -"<replaceable>SELINUX_USER</replaceable>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_useradd.8.xml:161 +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 msgid "" -"The SELinux user for the user's login. If not specified, the system default " -"will be used." +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 -msgid "sssd-krb5" +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-krb5.5.xml:17 -msgid "SSSD Kerberos provider" +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:23 -msgid "" -"This manual page describes the configuration of the Kerberos 5 " -"authentication backend for <citerefentry> <refentrytitle>sssd</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " -"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:36 +#: sss_rpcidmapd.5.xml:39 msgid "" -"The Kerberos 5 authentication backend contains auth and chpass providers. It " -"must be paired with an identity provider in order to function properly (for " -"example, id_provider = ldap). Some information required by the Kerberos 5 " -"authentication backend must be provided by the identity provider, such as " -"the user's Kerberos Principal Name (UPN). The configuration of the identity " -"provider should have an entry to specify the UPN. Please refer to the man " -"page for the applicable identity provider for details on how to configure " -"this." +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:47 -msgid "" -"This backend also provides access control based on the .k5login file in the " -"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " -"Please note that an empty .k5login file will deny all access to this user. " -"To activate this feature, use 'access_provider = krb5' in your SSSD " -"configuration." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:55 -msgid "" -"In the case where the UPN is not available in the identity backend, " -"<command>sssd</command> will construct a UPN using the format " -"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:77 +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 msgid "" -"Specifies the comma-separated list of IP addresses or hostnames of the " -"Kerberos servers to which SSSD should connect, in the order of preference. " -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. An optional port number (preceded by a " -"colon) may be appended to the addresses or hostnames. If empty, service " -"discovery is enabled; for more information, refer to the <quote>SERVICE " -"DISCOVERY</quote> section." +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:106 +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 msgid "" -"The name of the Kerberos realm. This option is required and must be " -"specified." +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:113 -msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:116 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 msgid "" -"If the change password service is not running on the KDC, alternative " -"servers can be defined here. An optional port number (preceded by a colon) " -"may be appended to the addresses or hostnames." +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 msgid "" -"For more information on failover and server redundancy, see the " -"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " -"servers to try, the backend is not switched to operate offline if " -"authentication against the KDC is still possible." +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:129 -msgid "Default: Use the KDC" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:135 -msgid "krb5_ccachedir (string)" -msgstr "" +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "另见" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:138 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 msgid "" -"Directory to store credential caches. All the substitution sequences of " -"krb5_ccname_template can be used here, too, except %d and %P. The directory " -"is created as private and owned by the user, with permissions set to 0700." +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:145 -msgid "Default: /tmp" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:151 -msgid "krb5_ccname_template (string)" +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 -msgid "%u" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 -msgid "login name" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 -msgid "%U" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:170 -msgid "login UID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:173 -msgid "%p" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:174 -msgid "principal name" +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:178 -msgid "%r" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:179 -msgid "realm name" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:182 -msgid "%h" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 -msgid "home directory" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 -msgid "%d" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:188 -msgid "value of krb5_ccachedir" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 -msgid "%P" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:194 -msgid "the process ID of the SSSD client" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 -msgid "%%" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." msgstr "" -#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 -msgid "a literal '%'" +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:154 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 msgid "" -"Location of the user's credential cache. Three credential cache types are " -"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " -"<quote>KEYRING:persistent</quote>. The cache can be specified either as " -"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " -"implies the <quote>FILE</quote> type. In the template, the following " -"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " -"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " -"filename in a safe way." +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:208 -msgid "" -"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" -"persistent:%U</quote>, which uses the Linux kernel keyring to store " -"credentials on a per-UID basis. This is also the recommended choice, as it " -"is the most secure and predictable method." +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:216 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" -"The default value for the credential cache name is sourced from the profile " -"stored in the system wide krb5.conf configuration file in the [libdefaults] " -"section. The option name is default_ccache_name. See krb5.conf(5)'s " -"PARAMETER EXPANSION paragraph for additional information on the expansion " -"format defined by krb5.conf." +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:225 -msgid "" -"NOTE: Please be aware that libkrb5 ccache expansion template from " -"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:234 -msgid "Default: (from libkrb5)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:240 -msgid "krb5_auth_timeout (integer)" +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:243 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 msgid "" -"Timeout in seconds after an online authentication request or change password " -"request is aborted. If possible, the authentication request is continued " -"offline." +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:254 -msgid "krb5_validate (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:257 +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 msgid "" -"Verify with the help of krb5_keytab that the TGT obtained has not been " -"spoofed. The keytab is checked for entries sequentially, and the first entry " -"with a matching realm is used for validation. If no entry matches the realm, " -"the last entry in the keytab is used. This process can be used to validate " -"environments using cross-realm trust by placing the appropriate keytab entry " -"as the last entry or the only entry in the keytab file." +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:272 -msgid "krb5_keytab (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:275 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 msgid "" -"The location of the keytab to use when validating credentials obtained from " -"KDCs." +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:279 -msgid "Default: /etc/krb5.keytab" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:285 -msgid "krb5_store_password_if_offline (boolean)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:288 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 msgid "" -"Store the password of the user if the provider is offline and use it to " -"request a TGT when the provider comes online again." +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:293 -msgid "" -"NOTE: this feature is only available on Linux. Passwords stored in this way " -"are kept in plaintext in the kernel keyring and are potentially accessible " -"by the root user (with difficulty)." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:306 -msgid "krb5_renewable_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:309 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 msgid "" -"Request a renewable ticket with a total lifetime, given as an integer " -"immediately followed by a time unit:" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 -msgid "<emphasis>s</emphasis> for seconds" +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 -msgid "<emphasis>m</emphasis> for minutes" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 -msgid "<emphasis>h</emphasis> for hours" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 -msgid "<emphasis>d</emphasis> for days." +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 -msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = ads\n" +"workgroup = <AD-DOMAIN-SHORTNAME>\n" +"\n" +"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" +"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" +"\n" +"idmap config * : backend = tdb\n" +"idmap config * : range = 100000-199999\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:62 msgid "" -"NOTE: It is not possible to mix units. To set the renewable lifetime to one " -"and a half hours, use '90m' instead of '1h30m'." +"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " +"the AD domain. If multiple AD domains should be used each domain needs an " +"<literal>idmap config</literal> line with <literal>backend = sss</literal> " +"and a line with a suitable <literal>range</literal>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:335 -msgid "Default: not set, i.e. the TGT is not renewable" +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:69 +msgid "" +"Since Winbind requires a writeable default backend and idmap_sss is read-" +"only the example includes <literal>backend = tdb</literal> as default." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:341 -msgid "krb5_lifetime (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:344 -msgid "" -"Request ticket with a lifetime, given as an integer immediately followed by " -"a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:360 -msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:364 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 msgid "" -"NOTE: It is not possible to mix units. To set the lifetime to one and a " -"half hours please use '90m' instead of '1h30m'." +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:369 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 msgid "" -"Default: not set, i.e. the default ticket lifetime configured on the KDC." +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:376 -msgid "krb5_renew_interval (string)" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:379 -msgid "" -"The time in seconds between two checks if the TGT should be renewed. TGTs " -"are renewed if about half of their lifetime is exceeded, given as an integer " -"immediately followed by a time unit:" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:406 -msgid "If this option is not set or is 0 the automatic renewal is disabled." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:416 -msgid "krb5_use_fast (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:419 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:55 msgid "" -"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" -"authentication. The following options are supported:" +"Another reason is to provide efficient caching of local users and groups." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:58 msgid "" -"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " -"option at all." +"Please note that some distributions enable the files domain automatically, " +"prepending the domain before any explicitly configured domains. See " +"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:428 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:67 msgid "" -"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " -"continue the authentication without it." +"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" +"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " +"(usually files)." msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:433 + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:72 msgid "" -"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " -"server does not require fast." +"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " +"which causes the request to be passed to the next module." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:438 -msgid "Default: not set, i.e. FAST is not used." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:96 +msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:441 -msgid "NOTE: a keytab is required to use FAST." +#: sssd-files.5.xml:99 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:444 -msgid "" -"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " -"SSSD is used with an older version of MIT Kerberos, using this option is a " -"configuration error." +#: sssd-files.5.xml:105 +msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:453 -msgid "krb5_fast_principal (string)" +#: sssd-files.5.xml:111 +msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:456 -msgid "Specifies the server principal to use for FAST." +#: sssd-files.5.xml:114 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:465 +#: sssd-files.5.xml:120 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:80 msgid "" -"Specifies if the host and user principal should be canonicalized. This " -"feature is available with MIT Kerberos 1.7 and later versions." +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. But the purpose of the files provider is to expose the same " +"data as the UNIX files, just through the SSSD interfaces. Therefore not all " +"generic domain options are supported. Likewise, some global options, such as " +"overriding the shell in the <quote>nss</quote> section for all domains has " +"no effect on the files domain unless explicitly specified per-domain. " +"<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:505 -msgid "krb5_kdcinfo_lookahead (string)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:132 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:508 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:138 +#, no-wrap msgid "" -"When krb5_use_kdcinfo is set to true, you can limit the amount of servers " -"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " -"helpful when there are too many servers discovered using SRV record." +"[domain/files]\n" +"id_provider = files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:518 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:143 msgid "" -"The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " -"The first number represents number of primary servers used and the second " -"number specifies the number of backup servers." +"To leverage caching of local users and groups by SSSD nss_sss module must be " +"listed before nss_files module in /etc/nsswitch.conf." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:524 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:149 +#, no-wrap msgid "" -"For example <emphasis>10:0</emphasis> means that up to 10 primary servers " -"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" -"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " -"servers." +"passwd: sss files\n" +"group: sss files\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:533 -msgid "Default: 3:1" +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:539 -msgid "krb5_use_enterprise_principal (boolean)" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:542 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 msgid "" -"Specifies if the user principal should be treated as enterprise principal. " -"See section 5 of RFC 6806 for more details about enterprise principals." +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:548 -msgid "Default: false (AD provider: true)" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 msgid "" -"The IPA provider will set to option to 'true' if it detects that the server " -"is capable of handling enterprise principals and the option is not set " -"explicitly in the config file." +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-krb5.5.xml:560 -msgid "krb5_map_user (string)" +#: sssd-secrets.5.xml:69 +msgid "secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:563 -msgid "" -"The list of mappings is given as a comma-separated list of pairs " -"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " -"name and <quote>primary</quote> is a user part of a kerberos principal. This " -"mapping is used when user is authenticating using <quote>auth_provider = " -"krb5</quote>." +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-krb5.5.xml:575 -#, no-wrap -msgid "" -"krb5_realm = REALM\n" -"krb5_map_user = joe:juser,dick:richard\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-krb5.5.xml:580 +#: sssd-secrets.5.xml:75 msgid "" -"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " -"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " -"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " -"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" -"quote>." +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:65 +#: sssd-secrets.5.xml:61 msgid "" -"If the auth-module krb5 is used in an SSSD domain, the following options " -"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " -"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " -"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-krb5.5.xml:606 +#: sssd-secrets.5.xml:91 msgid "" -"The following example assumes that SSSD is correctly configured and FOO is " -"one of the domains in the <replaceable>[sssd]</replaceable> section. This " -"example shows only configuration of Kerberos authentication; it does not " -"include any identity provider." +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-krb5.5.xml:614 +#: sssd-secrets.5.xml:110 #, no-wrap msgid "" -"[domain/FOO]\n" -"auth_provider = krb5\n" -"krb5_server = 192.168.1.1\n" -"krb5_realm = EXAMPLE.COM\n" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 -msgid "sss_groupadd" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupadd.8.xml:16 -msgid "create a new group" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupadd.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 msgid "" -"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupadd.8.xml:32 +#: sssd-secrets.5.xml:132 msgid "" -"<command>sss_groupadd</command> creates a new group. These groups are " -"compatible with POSIX groups, with the additional feature that they can " -"contain other groups as members." +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 -msgid "" -"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +#: sssd-secrets.5.xml:141 +msgid "provider (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupadd.8.xml:48 -msgid "" -"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " -"not given, it is chosen automatically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 -msgid "sss_userdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_userdel.8.xml:16 -msgid "delete a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_userdel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 msgid "" -"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_userdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 msgid "" -"<command>sss_userdel</command> deletes a user identified by login name " -"<replaceable>LOGIN</replaceable> from the system." +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:44 -msgid "<option>-r</option>,<option>--remove</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:48 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 msgid "" -"Files in the user's home directory will be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:56 -msgid "<option>-R</option>,<option>--no-remove</option>" +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:60 -msgid "" -"Files in the user's home directory will NOT be removed along with the home " -"directory itself and the user's mail spool. Overrides the configuration." +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 include/failover.xml:116 +msgid "Default: 4" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:68 -msgid "<option>-f</option>,<option>--force</option>" +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:72 +#: sssd-secrets.5.xml:207 msgid "" -"This option forces <command>sss_userdel</command> to remove the user's home " -"directory and mail spool, even if they are not owned by the specified user." +"This option specifies the maximum number of secrets that can be stored in " +"the hive." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_userdel.8.xml:80 -msgid "<option>-k</option>,<option>--kick</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_userdel.8.xml:84 -msgid "Before actually deleting the user, terminate all his processes." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 -msgid "sss_groupdel" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupdel.8.xml:16 -msgid "delete a group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupdel.8.xml:21 -msgid "" -"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupdel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 msgid "" -"<command>sss_groupdel</command> deletes a group identified by its name " -"<replaceable>GROUP</replaceable> from the system." +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 -msgid "sss_groupshow" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_groupshow.8.xml:16 -msgid "print properties of a group" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_groupshow.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 msgid "" -"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" -"arg>" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_groupshow.8.xml:32 +#: sssd-secrets.5.xml:252 msgid "" -"<command>sss_groupshow</command> displays information about a group " -"identified by its name <replaceable>GROUP</replaceable>. The information " -"includes the group ID number, members of the group and the parent group." +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_groupshow.8.xml:43 -msgid "<option>-R</option>,<option>--recursive</option>" +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_groupshow.8.xml:47 +#: sssd-secrets.5.xml:260 msgid "" -"Also print indirect group members in a tree-like hierarchy. Note that this " -"also affects printing parent groups - without <option>R</option>, only the " -"direct parent will be printed." +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 -msgid "sss_usermod" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_usermod.8.xml:16 -msgid "modify a user account" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_usermod.8.xml:21 -msgid "" -"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" -"arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_usermod.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 msgid "" -"<command>sss_usermod</command> modifies the account specified by " -"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " -"on the command line." +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:60 -msgid "The home directory of the user account." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:71 -msgid "The user's login shell." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:82 -msgid "" -"Append this user to groups specified by the <replaceable>GROUPS</" -"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " -"a comma separated list of group names." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:96 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 msgid "" -"Remove this user from groups specified by the <replaceable>GROUPS</" -"replaceable> parameter." +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:103 -msgid "<option>-l</option>,<option>--lock</option>" +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:107 -msgid "Lock the user account. The user won't be able to log in." +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:114 -msgid "<option>-u</option>,<option>--unlock</option>" +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:118 -msgid "Unlock the user account." +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:129 -msgid "The SELinux user for the user's login." +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:135 -msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:140 -msgid "Add an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:147 -msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:152 +#: sssd-secrets.5.xml:347 msgid "" -"Set an attribute to a name/value pair. The format is attrname=value. For " -"multi-valued attributes, the command replaces the values already present" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_usermod.8.xml:160 -msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_usermod.8.xml:165 -msgid "Delete an attribute/value pair. The format is attrname=value." +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_cache.8.xml:10 sss_cache.8.xml:15 -msgid "sss_cache" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_cache.8.xml:16 -msgid "perform cache cleanup" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_cache.8.xml:21 -msgid "" -"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_cache.8.xml:31 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 msgid "" -"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " -"records are forced to be reloaded from server as soon as related SSSD " -"backend is online. Options that invalidate a single object only accept a " -"single provided argument." +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:43 -msgid "<option>-E</option>,<option>--everything</option>" +#: sssd-secrets.5.xml:395 +msgid "cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:47 -msgid "Invalidate all cached entries." +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:53 -msgid "" -"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +#: sssd-secrets.5.xml:409 +msgid "key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:58 -msgid "Invalidate specific user." +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:64 -msgid "<option>-U</option>,<option>--users</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 msgid "" -"Invalidate all user records. This option overrides invalidation of specific " -"user if it was also set." +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:75 -msgid "" -"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:80 -msgid "Invalidate specific group." +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:86 -msgid "<option>-G</option>,<option>--groups</option>" +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:90 +#: sssd-secrets.5.xml:461 msgid "" -"Invalidate all group records. This option overrides invalidation of specific " -"group if it was also set." +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:97 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap msgid "" -"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:102 -msgid "Invalidate specific netgroup." +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:108 -msgid "<option>-N</option>,<option>--netgroups</option>" +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:112 +#: sssd-secrets.5.xml:484 msgid "" -"Invalidate all netgroup records. This option overrides invalidation of " -"specific netgroup if it was also set." +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:119 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 msgid "" -"<option>-s</option>,<option>--service</option> <replaceable>service</" -"replaceable>" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:124 -msgid "Invalidate specific service." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:130 -msgid "<option>-S</option>,<option>--services</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:134 +#: sssd-secrets.5.xml:496 msgid "" -"Invalidate all service records. This option overrides invalidation of " -"specific service if it was also set." +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:141 -msgid "" -"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" -"replaceable>" +#: sssd-secrets.5.xml:516 +msgid "Creating a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:146 -msgid "Invalidate specific autofs maps." +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:152 -msgid "<option>-A</option>,<option>--autofs-maps</option>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:156 +#: sssd-secrets.5.xml:526 msgid "" -"Invalidate all autofs maps. This option overrides invalidation of specific " -"map if it was also set." +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:163 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap msgid "" -"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" -"replaceable>" +"http://localhost/secrets/mycontainer/mysecret\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:168 -msgid "Invalidate SSH public keys of a specific host." +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:174 -msgid "<option>-H</option>,<option>--ssh-hosts</option>" +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:178 +#: sssd-secrets.5.xml:547 msgid "" -"Invalidate SSH public keys of all hosts. This option overrides invalidation " -"of SSH public keys of specific host if it was also set." +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:186 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap msgid "" -"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" -"replaceable>" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:191 -msgid "Invalidate particular sudo rule." +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:197 -msgid "<option>-R</option>,<option>--sudo-rules</option>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:201 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 msgid "" -"Invalidate all cached sudo rules. This option overrides invalidation of " -"specific sudo rule if it was also set." +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_cache.8.xml:209 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap msgid "" -"<option>-d</option>,<option>--domain</option> <replaceable>domain</" -"replaceable>" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_cache.8.xml:214 -msgid "Restrict invalidation process only to a particular domain." +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 -msgid "sss_debuglevel" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_debuglevel.8.xml:16 -msgid "[DEPRECATED] change debug level while SSSD is running" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_debuglevel.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 msgid "" -"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" -"replaceable></arg>" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_debuglevel.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap msgid "" -"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " -"debug-level command. Please refer to the <command>sssctl</command> man page " -"for more information on sssctl usage." +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_seed.8.xml:10 sss_seed.8.xml:15 -msgid "sss_seed" +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_seed.8.xml:16 -msgid "seed the SSSD cache with a user" +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_seed.8.xml:21 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 msgid "" -"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" -"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" -"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" -"arg>" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:33 +#: sssd-session-recording.5.xml:41 msgid "" -"<command>sss_seed</command> seeds the SSSD cache with a user entry and " -"temporary password. If a user entry is already present in the SSSD cache " -"then the entry is updated with the temporary password." +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:46 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 msgid "" -"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" -"replaceable>" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:51 -msgid "" -"Provide the name of the domain in which the user is a member of. The domain " -"is also used to retrieve user information. The domain must be configured in " -"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " -"Information retrieved from the domain overrides what is provided in the " -"options." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 msgid "" -"<option>-n</option>,<option>--username</option> <replaceable>USER</" -"replaceable>" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:68 +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap msgid "" -"The username of the entry to be created or modified in the cache. The " -"<replaceable>USER</replaceable> option must be provided." +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:81 -msgid "Set the UID of the user to <replaceable>UID</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:93 -msgid "Set the GID of the user to <replaceable>GID</replaceable>." +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:117 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 msgid "" -"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:129 -msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:140 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 msgid "" -"Interactive mode for entering user information. This option will only prompt " -"for information not provided in the options or retrieved from the domain." +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_seed.8.xml:148 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 msgid "" -"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" -"replaceable>" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_seed.8.xml:153 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 msgid "" -"Specify file to read user's password from. (if not specified password is " -"prompted for)" +"the SSSD implementation stores the ccaches in a database, typically located " +"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " +"survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_seed.8.xml:165 +#: sssd-kcm.8.xml:67 msgid "" -"The length of the password (or the size of file specified with -p or --" -"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " -"on systems with no globally-defined PASS_MAX value)." +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 -msgid "sssd-ifp" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:74 +msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-ifp.5.xml:17 -msgid "SSSD InfoPipe responder" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:84 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:23 +#: sssd-kcm.8.xml:76 msgid "" -"This manual page describes the configuration of the InfoPipe responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:36 +#: sssd-kcm.8.xml:89 msgid "" -"The InfoPipe responder provides a public D-Bus interface accessible over the " -"system bus. The interface allows the user to query information about remote " -"users and groups over the system bus." +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-ifp.5.xml:46 -msgid "These options can be used to configure the InfoPipe responder." +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:111 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:100 msgid "" -"Specifies the comma-separated list of UID values or user names that are " -"allowed to access the InfoPipe responder. User names are resolved to UIDs at " -"startup." +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:59 -msgid "" -"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:120 +msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:63 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:122 msgid "" -"Please note that although the UID 0 is used as the default it will be " -"overwritten with this option. If you still want to allow the root user to " -"access the InfoPipe responder, which would be the typical case, you have to " -"add 0 to the list of allowed UIDs as well." +"The credential caches are stored in a database, much like SSSD caches user " +"or group entries. The database is typically located at <quote>/var/lib/sss/" +"secrets</quote>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:77 -msgid "Specifies the comma-separated list of white or blacklisted attributes." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:129 +msgid "OBTAINING DEBUG LOGS" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:91 -msgid "name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:140 +#, no-wrap +msgid "" +"[kcm]\n" +"debug_level = 10\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:92 -msgid "user's login name" +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 +#, no-wrap +msgid "" +"systemctl restart sssd-kcm.service\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:95 -msgid "uidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:131 +msgid "" +"The sssd-kcm service is typically socket-activated <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. To generate debug logs, add the following either to the " +"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " +"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " +"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " +"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" +"case doesn't work for you. The KCM logs will be generated at <filename>/var/" +"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " +"logs when you no longer need the debugging to be enabled as the sssd-kcm " +"service can generate quite a large amount of debugging information." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:96 -msgid "user ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"Please note that configuration snippets are, at the moment, only processed " +"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " +"exists at all." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:99 -msgid "gidNumber" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:164 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that because the KCM service is typically socket-" +"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " +"after changing options in the <quote>kcm</quote> section of sssd.conf: " +"<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:100 -msgid "primary group ID" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:175 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> For a detailed " +"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:103 -msgid "gecos" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:183 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:104 -msgid "user information, typically full name" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:194 +msgid "socket_path (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:107 -msgid "homeDirectory" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:197 +msgid "The socket the KCM service will listen on." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-ifp.5.xml:111 -msgid "loginShell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:200 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:112 -msgid "user shell" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:205 +msgid "max_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:81 -msgid "" -"By default, the InfoPipe responder only allows the default set of POSIX " -"attributes to be requested. This set is the same as returned by " -"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" -"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " -"id=\"0\"/>" +#: sssd-kcm.8.xml:208 +msgid "How many credential caches does the KCM database allow for all users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:212 +msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-ifp.5.xml:125 -#, no-wrap -msgid "" -"user_attributes = +telephoneNumber, -loginShell\n" -" " +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:217 +msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:117 +#: sssd-kcm.8.xml:220 msgid "" -"It is possible to add another attribute to this set by using <quote>" -"+attr_name</quote> or explicitly remove an attribute using <quote>-" -"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " -"deny <quote>loginShell</quote>, you would use the following configuration: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +"How many credential caches does the KCM database allow per UID. This is " +"equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:129 -msgid "Default: not set. Only the default set of POSIX attributes is allowed." +#: sssd-kcm.8.xml:225 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 64" +msgstr "默认: 3" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:230 +msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:139 +#: sssd-kcm.8.xml:233 msgid "" -"Specifies an upper limit on the number of entries that are downloaded during " -"a wildcard lookup that overrides caller-supplied limit." +"How big can a credential cache be per ccache. Each service ticket accounts " +"into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-ifp.5.xml:144 -msgid "Default: 0 (let the caller set an upper limit)" -msgstr "" +#: sssd-kcm.8.xml:237 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: 65536" +msgstr "默认: 3" -#. type: Content of: <reference><refentry><refentryinfo> -#: sss_rpcidmapd.5.xml:8 +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:247 msgid "" -"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" -"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " -"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" -"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " -"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" -"author>" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 -msgid "sss_rpcidmapd" +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_rpcidmapd.5.xml:33 -msgid "sss plugin configuration directives for rpc.idmapd" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:37 -msgid "CONFIGURATION FILE" +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:39 +#: sssd-systemtap.5.xml:23 msgid "" -"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." -"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:49 -msgid "SSS CONFIGURATION EXTENSION" +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:51 -msgid "Enable SSS plugin" +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:53 +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 msgid "" -"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " -"attribute to contain <emphasis>sss</emphasis>." +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_rpcidmapd.5.xml:59 -msgid "[sss] config section" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_rpcidmapd.5.xml:61 +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" -"In order to change the default of one of the configuration attributes of the " -"<emphasis>sss</emphasis> plugin listed below you will need to create a " -"config section for it, named <quote>[sss]</quote>." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> -#: sss_rpcidmapd.5.xml:67 -msgid "Configuration attributes" -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sss_rpcidmapd.5.xml:69 -msgid "memcache (bool)" +"The information below lists the probe points and arguments available in the " +"following format:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sss_rpcidmapd.5.xml:72 -msgid "Indicates whether or not to use memcache optimisation technique." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_rpcidmapd.5.xml:85 -msgid "SSSD INTEGRATION" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:87 +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap msgid "" -"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " -"in sssd." +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:91 -msgid "" -"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " -"all domains (NFSv4 clients expect a fully qualified name to be sent on the " -"wire)." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_rpcidmapd.5.xml:103 -#, no-wrap -msgid "" -"[General]\n" -"Verbosity = 2\n" -"# domain must be synced between NFSv4 server and clients\n" -"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" -"Domain = default\n" -"\n" -"[Mapping]\n" -"Nobody-User = nfsnobody\n" -"Nobody-Group = nfsnobody\n" -"\n" -"[Translation]\n" -"Method = sss\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:100 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 msgid "" -"The following example shows a minimal idmapd.conf which makes use of the sss " -"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" -#. type: Content of: <refsect1><title> -#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:245 include/seealso.xml:2 -msgid "SEE ALSO" -msgstr "另见" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_rpcidmapd.5.xml:122 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry>" -msgstr "" - -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 -msgid "sss_ssh_authorizedkeys" -msgstr "" - -#. type: Content of: <reference><refentry><refmeta><manvolnum> -#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 -msgid "1" +"nesting:integer\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_authorizedkeys.1.xml:16 -msgid "get OpenSSH authorized keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_authorizedkeys.1.xml:21 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 msgid "" -"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>USER</replaceable></arg>" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:32 -msgid "" -"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " -"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " -"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> for more information)." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:41 -msgid "" -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" -"command> for public key user authentication if it is compiled with support " -"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " -"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> man page for more details about this option." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_authorizedkeys.1.xml:59 -#, no-wrap -msgid "" -" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" -" AuthorizedKeysCommandUser nobody\n" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:52 -msgid "" -"If <quote>AuthorizedKeysCommand</quote> is supported, " -"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" -"citerefentry> can be configured to use it by putting the following " -"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " -"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" -"\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sss_ssh_authorizedkeys.1.xml:65 -msgid "KEYS FROM CERTIFICATES" +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:67 -msgid "" -"In addition to the public SSH keys for user <replaceable>USER</replaceable> " -"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " -"from the public key of a X.509 certificate as well." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:73 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 +#, no-wrap msgid "" -"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " -"set to true (default) in the [ssh] section of <filename>sssd.conf</" -"filename>. If the user entry contains certificates (see " -"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" -"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " -"there is a certificate in an override entry for the user (see " -"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" -"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " -"certificate is valid SSSD will extract the public key from the certificate " -"and convert it into the format expected by sshd." +"base:string\n" +"scope:integer\n" +"filter:string\n" +"attrs:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:90 -msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:161 +msgid "probe sdap_search_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:92 -msgid "ca_db" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:164 +msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:93 -msgid "p11_child_timeout" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:94 -msgid "certificate_verification" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:176 +msgid "probe sdap_parse_entry" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:96 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:179 msgid "" -"can be used to control how the certificates are validated (see " -"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum></citerefentry> for details)." +"Probes the sdap_parse_entry() function. It is called repeatedly with every " +"received attribute." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:101 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:184 +#, no-wrap msgid "" -"The validation is the benefit of using X.509 certificates instead of SSH " -"keys directly because e.g. it gives a better control of the lifetime of the " -"keys. When the ssh client is configured to use the private keys from a " -"Smartcard with the help of a PKCS#11 shared library (see " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> for details) it might be irritating that authentication is " -"still working even if the related X.509 certificate on the Smartcard is " -"already expired because neither <command>ssh</command> nor <command>sshd</" -"command> will look at the certificate at all." +"attr:string\n" +"value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sss_ssh_authorizedkeys.1.xml:114 -msgid "" -"It has to be noted that the derived public SSH key can still be added to the " -"<filename>authorized_keys</filename> file of the user to bypass the " -"certificate validation if the <command>sshd</command> configuration permits " -"this." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:190 +msgid "probe sdap_parse_entry_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_authorizedkeys.1.xml:132 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:193 msgid "" -"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +"Probes the sdap_parse_entry() function. It is called when parsing of " +"received object is finished." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 -msgid "EXIT STATUS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:201 +msgid "probe sdap_deref_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:204 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:208 +#, no-wrap msgid "" -"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 -msgid "sss_ssh_knownhostsproxy" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:215 +msgid "probe sdap_deref_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sss_ssh_knownhostsproxy.1.xml:16 -msgid "get OpenSSH host keys" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:218 +msgid "Probes the sdap_deref_search_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sss_ssh_knownhostsproxy.1.xml:21 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " -"<replaceable>options</replaceable> </arg> <arg " -"choice='plain'><replaceable>HOST</replaceable></arg> <arg " -"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:234 +msgid "LDAP Account Request Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:33 -msgid "" -"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " -"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " -"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " -"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" -"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" -"pubconf/known_hosts</filename> and establishes the connection to the host." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:238 +msgid "probe sdap_acct_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:43 -msgid "" -"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " -"create the connection to the host instead of opening a socket." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:241 +msgid "Probes the sdap_acct_req_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sss_ssh_knownhostsproxy.1.xml:55 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 #, no-wrap msgid "" -"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" -"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sss_ssh_knownhostsproxy.1.xml:48 -msgid "" -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" -"command> for host key authentication by using the following directives for " -"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" -"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:253 +msgid "probe sdap_acct_req_recv" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:66 -msgid "" -"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:256 +msgid "Probes the sdap_acct_req_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:71 -msgid "" -"Use port <replaceable>PORT</replaceable> to connect to the host. By " -"default, port 22 is used." +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:272 +msgid "LDAP User Search Probes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:83 -msgid "" -"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:276 +msgid "probe sdap_search_user_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sss_ssh_knownhostsproxy.1.xml:89 -msgid "<option>-k</option>,<option>--pubkey</option>" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:279 +msgid "Probes the sdap_search_user_send() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sss_ssh_knownhostsproxy.1.xml:93 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 +#: sssd-systemtap.5.xml:319 +#, no-wrap msgid "" -"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +"filter:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 -msgid "idmap_sss" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:288 +msgid "probe sdap_search_user_recv" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: idmap_sss.8.xml:16 -msgid "SSSD's idmap_sss Backend for Winbind" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:291 +msgid "Probes the sdap_search_user_recv() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:22 -msgid "" -"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " -"No database is required in this case as the mapping is done by SSSD." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:300 +msgid "probe sdap_search_user_save_begin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: idmap_sss.8.xml:29 -msgid "IDMAP OPTIONS" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:303 +msgid "Probes the sdap_search_user_save_begin() function." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: idmap_sss.8.xml:33 -msgid "range = low - high" +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:312 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:315 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:328 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:332 +msgid "probe dp_req_send" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: idmap_sss.8.xml:35 -msgid "" -"Defines the available matching UID and GID range for which the backend is " -"authoritative." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:335 +msgid "A Data Provider request is submitted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:45 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:338 +#, no-wrap msgid "" -"This example shows how to configure idmap_sss as the default mapping module." +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: idmap_sss.8.xml:50 -#, no-wrap -msgid "" -"[global]\n" -"security = ads\n" -"workgroup = <AD-DOMAIN-SHORTNAME>\n" -"\n" -"idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" -"idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" -"\n" -"idmap config * : backend = tdb\n" -"idmap config * : range = 100000-199999\n" -" " +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "probe dp_req_done" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:62 -msgid "" -"Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " -"the AD domain. If multiple AD domains should be used each domain needs an " -"<literal>idmap config</literal> line with <literal>backend = sss</literal> " -"and a line with a suitable <literal>range</literal>." +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "A Data Provider request is completed." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: idmap_sss.8.xml:69 +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:352 +#, no-wrap msgid "" -"Since Winbind requires a writeable default backend and idmap_sss is read-" -"only the example includes <literal>backend = tdb</literal> as default." +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssctl.8.xml:10 sssctl.8.xml:15 -msgid "sssctl" +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:365 +msgid "MISCELLANEOUS FUNCTIONS" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssctl.8.xml:16 -msgid "SSSD control and status utility" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:372 +msgid "function acct_req_desc(entry_type)" msgstr "" -#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> -#: sssctl.8.xml:21 -msgid "" -"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" -"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" -"arg>" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:375 +msgid "Convert entry_type to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:32 +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:380 msgid "" -"<command>sssctl</command> provides a simple and unified way to obtain " -"information about SSSD status, such as active server, auto-discovered " -"servers, domains and cached objects. In addition, it can manage SSSD data " -"files for troubleshooting in such a way that is safe to manipulate while " -"SSSD is running." +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssctl.8.xml:43 -msgid "" -"To list all available commands run <command>sssctl</command> without any " -"parameters. To print help for selected command run <command>sssctl COMMAND --" -"help</command>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:384 +msgid "Create probe string based on filter type" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-files.5.xml:10 sssd-files.5.xml:16 -msgid "sssd-files" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:389 +msgid "function dp_target_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-files.5.xml:17 -msgid "SSSD files provider" +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:392 +msgid "Convert target to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:23 -msgid "" -"This manual page describes the files provider for <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" -"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:397 +msgid "function dp_method_str(target)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:36 -msgid "" -"The files provider mirrors the content of the <citerefentry> " -"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" -"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " -"provider is to make the users and groups traditionally only accessible with " -"NSS interfaces also available through the SSSD interfaces such as " -"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry>." +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:400 +msgid "Convert method to string and return string" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:55 -msgid "" -"Another reason is to provide efficient caching of local users and groups." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:410 +msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:58 +#: sssd-systemtap.5.xml:412 msgid "" -"Please note that some distributions enable the files domain automatically, " -"prepending the domain before any explicitly configured domains. See " -"enable_files_domain in <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +"Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" +"script_name>.stp</command>), then perform an identity operation and the " +"script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:67 -msgid "" -"SSSD never handles resolution of user/group \"root\". Also resolution of UID/" -"GID 0 is not handled by SSSD. Such requests are passed to next NSS module " -"(usually files)." +#: sssd-systemtap.5.xml:418 +msgid "Provided SystemTap scripts are:" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:72 -msgid "" -"When SSSD is not running or responding, nss_sss returns the UNAVAIL code " -"which causes the request to be passed to the next module." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:422 +msgid "dp_request.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:96 -msgid "passwd_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:425 +msgid "Monitoring of data provider request performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:99 -msgid "" -"Comma-separated list of one or multiple password filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:430 +msgid "id_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:105 -msgid "Default: /etc/passwd" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:433 +msgid "Monitoring of <command>id</command> command performance." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-files.5.xml:111 -msgid "group_files (string)" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:439 +msgid "ldap_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:114 -msgid "" -"Comma-separated list of one or multiple group filenames to be read and " -"enumerated by the files provider, inotify monitor watches will be set on " -"each file to detect changes dynamically." +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:442 +msgid "Monitoring of LDAP queries." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-files.5.xml:120 -msgid "Default: /etc/group" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:447 +msgid "nested_group_perf.stp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:80 -msgid "" -"In addition to the options listed below, generic SSSD domain options can be " -"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " -"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for details on the configuration of " -"an SSSD domain. But the purpose of the files provider is to expose the same " -"data as the UNIX files, just through the SSSD interfaces. Therefore not all " -"generic domain options are supported. Likewise, some global options, such as " -"overriding the shell in the <quote>nss</quote> section for all domains has " -"no effect on the files domain unless explicitly specified per-domain. " -"<placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:450 +msgid "Performance of nested groups resolving." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:132 -msgid "" -"The following example assumes that SSSD is correctly configured and files is " -"one of the domains in the <replaceable>[sssd]</replaceable> section." +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 +msgid "sssd-ldap-attributes" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:138 -#, no-wrap -msgid "" -"[domain/files]\n" -"id_provider = files\n" +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap-attributes.5.xml:17 +msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> -#: sssd-files.5.xml:143 -msgid "" -"To leverage caching of local users and groups by SSSD nss_sss module must be " -"listed before nss_files module in /etc/nsswitch.conf." -msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-files.5.xml:149 -#, no-wrap +#: sssd-ldap-attributes.5.xml:23 msgid "" -"passwd: sss files\n" -"group: sss files\n" +"This manual page describes the mapping attributes of SSSD LDAP provider " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +"for full details about SSSD LDAP provider configuration options." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 -msgid "sssd-secrets" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:38 +msgid "USER ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-secrets.5.xml:17 -msgid "SSSD Secrets responder" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:42 +msgid "ldap_user_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:23 -msgid "" -"This manual page describes the configuration of the Secrets responder for " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " -"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:45 +msgid "The object class of a user entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:36 -msgid "" -"Many system and user applications need to store private information such as " -"passwords or service keys and have no good way to properly deal with them. " -"The simple approach is to embed these <quote>secrets</quote> into " -"configuration files potentially ending up exposing sensitive key material to " -"backups, config management system and in general making it harder to secure " -"data." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:48 +msgid "Default: posixAccount" msgstr "" - -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:45 -msgid "" -"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " -"project was born to deal with this problem in cloud like environments, but " -"we found the idea compelling even at a single system level. As a security " -"service, SSSD is ideal to host this capability while offering the same API " -"via a UNIX Socket. This will make it possible to use local calls and have " -"them transparently routed to a local or a remote key management store like " -"IPA Vault for storage, escrow and recovery." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:54 +msgid "ldap_user_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:55 -msgid "" -"The secrets are simple key-value pairs. Each user's secrets are namespaced " -"using their user ID, which means the secrets will never collide between " -"users. Secrets can be stored inside <quote>containers</quote> which can be " -"nested." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:57 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:61 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:69 -msgid "secrets" +#: sssd-ldap-attributes.5.xml:68 +msgid "ldap_user_uid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:70 -msgid "secrets for general usage" +#: sssd-ldap-attributes.5.xml:71 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:75 +msgid "Default: uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:73 -msgid "kcm" +#: sssd-ldap-attributes.5.xml:81 +msgid "ldap_user_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:75 -msgid "" -"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry> service." +#: sssd-ldap-attributes.5.xml:84 +msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:61 -msgid "" -"Since the secrets responder can be used both externally to store general " -"secrets, as described in the rest of this man page, but also internally by " -"other SSSD components to store their secret material, some configuration " -"options, like quotas can be configured per <quote>hive</quote> in a " -"configuration subsection named after the hive. The currently supported hives " -"are: <placeholder type=\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:681 +msgid "Default: gidNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:89 -msgid "USING THE SECRETS RESPONDER" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:94 +msgid "ldap_user_primary_group (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:91 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:97 msgid "" -"The UNIX socket the SSSD responder listens on is located at <filename>/var/" -"run/secrets.socket</filename>." +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:110 -#, no-wrap -msgid "" -"systemctl start sssd-secrets.socket\n" -"systemctl enable sssd-secrets.socket\n" -"systemctl enable sssd-secrets.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:103 +msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:95 -msgid "" -"The secrets responder is socket-activated by <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " -"the <quote>secrets</quote> string to the <quote>service</quote> directive. " -"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " -"corresponding service file is called <quote>sssd-secrets.service</quote>. In " -"order for the service to be socket-activated, make sure the socket is " -"enabled and active and the service is enabled: <placeholder type=" -"\"programlisting\" id=\"0\"/> Please note your distribution may already " -"configure the units for you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:109 +msgid "ldap_user_gecos (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:122 -msgid "" -"The generic SSSD responder options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " -"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some secrets-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:112 +msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:132 -msgid "" -"The secrets responder is configured with a global <quote>[secrets]</quote> " -"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " -"in <filename>sssd.conf</filename>. Please note that some options, notably as " -"the provider type, can only be specified in the per-user subsections." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:116 +msgid "Default: gecos" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:141 -msgid "provider (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:122 +msgid "ldap_user_home_directory (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:157 -msgid "local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:125 +msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:160 -msgid "" -"The secrets are stored in a local database, encrypted at rest with a master " -"key. The local provider does not have any additional config options at the " -"moment." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:129 +msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:168 -msgid "proxy" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:135 +msgid "ldap_user_shell (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:171 -msgid "" -"The secrets responder forwards the requests to a Custodia server. The proxy " -"provider supports several additional options (see below)." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:138 +msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:144 -msgid "" -"This option specifies where should the secrets be stored. The secrets " -"responder can configure a per-user subsections (e.g. <quote>[secrets/" -"users/123]</quote> - see bottom of this manual page for a full example using " -"Custodia for a particular user) that define which provider store the secrets " -"for this particular user. The per-user subsections should contain all " -"options for that user's provider. Please note that currently the global " -"provider is always local, the proxy provider can only be specified in a per-" -"user section. The following providers are supported: <placeholder type=" -"\"variablelist\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:142 +msgid "Default: loginShell" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:180 -msgid "Default: local" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:148 +msgid "ldap_user_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:186 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:151 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:707 msgid "" -"The following options affect only the secrets <quote>hive</quote> and " -"therefore should be set in a per-hive subsection. Setting the option to 0 " -"means \"unlimited\"." +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:192 -msgid "containers_nest_level (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:162 +msgid "ldap_user_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:195 -msgid "This option specifies the maximum allowed number of nested containers." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:165 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:199 include/failover.xml:116 -msgid "Default: 4" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:722 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:204 -msgid "max_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:177 +msgid "ldap_user_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:207 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:732 +#: sssd-ldap-attributes.5.xml:855 msgid "" -"This option specifies the maximum number of secrets that can be stored in " -"the hive." +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:211 -msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:736 +#: sssd-ldap-attributes.5.xml:862 +msgid "Default: modifyTimestamp" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:216 -msgid "max_uid_secrets (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:190 +msgid "ldap_user_shadow_last_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:219 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:193 msgid "" -"This option specifies the maximum number of secrets that can be stored per-" -"UID in the hive." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:223 -msgid "Default: 256 (secrets hive), 64 (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:203 +msgid "Default: shadowLastChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:228 -msgid "max_payload_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:209 +msgid "ldap_user_shadow_min (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:231 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:212 msgid "" -"This option specifies the maximum payload size allowed for a secret payload " -"in kilobytes." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:235 -msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:221 +msgid "Default: shadowMin" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:244 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:227 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:230 msgid "" -"[secrets/secrets]\n" -"max_payload_size = 128\n" -"\n" -"[secrets/kcm]\n" -"max_payload_size = 256\n" -" " +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:239 +msgid "Default: shadowMax" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:241 -msgid "" -"For example, to adjust quotas differently for both the <quote>secrets</" -"quote> and the <quote>kcm</quote> hives, configure the following: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:245 +msgid "ldap_user_shadow_warning (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:252 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:248 msgid "" -"The following options are only applicable for configurations that use the " -"<quote>proxy</quote> provider." +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:257 -msgid "proxy_url (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:258 +msgid "Default: shadowWarning" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:260 -msgid "" -"The URL the Custodia server is listening on. At the moment, http and https " -"protocols are supported." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:264 +msgid "ldap_user_shadow_inactive (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:267 -msgid "http[s]://<host>[:port]" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:267 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:270 -msgid "Example: http://localhost:8080" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:277 +msgid "Default: shadowInactive" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:275 -msgid "auth_type (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:283 +msgid "ldap_user_shadow_expire (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:278 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:286 msgid "" -"The method to use when authenticating to a Custodia server. The following " -"authentication methods are supported:" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:283 -msgid "basic_auth" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:296 +msgid "Default: shadowExpire" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:286 -msgid "" -"Authenticate with a username and a password as set in the <quote>username</" -"quote> and <quote>password</quote> options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:302 +msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:293 -msgid "header" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:305 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:296 -msgid "" -"Authenticate with HTTP header value as defined in the " -"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " -"configuration options." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:311 +msgid "Default: krbLastPwdChange" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:307 -msgid "auth_header_name (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:317 +msgid "ldap_user_krb_password_expiration (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:310 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:320 msgid "" -"If set, the secrets responder would put a header with this name into the " -"HTTP request with the value defined in the <quote>auth_header_value</quote> " -"configuration option." +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:315 -msgid "Example: MYSECRETNAME" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:326 +msgid "Default: krbPasswordExpiration" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:320 -msgid "auth_header_value (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:332 +msgid "ldap_user_ad_account_expires (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:323 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:335 msgid "" -"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:327 -msgid "Example: mysecret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:340 +msgid "Default: accountExpires" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:332 -msgid "forward_headers (list of strings)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:346 +msgid "ldap_user_ad_user_account_control (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:335 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:349 msgid "" -"The list of HTTP headers to forward to the Custodia server together with the " -"request." +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:344 -msgid "verify_peer (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:354 +msgid "Default: userAccountControl" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:347 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:360 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:363 msgid "" -"Whether peer's certificate should be verified and valid if HTTPS protocol is " -"used with the proxy provider." +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:356 -msgid "verify_host (boolean)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:368 +msgid "Default: nsAccountLock" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:359 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:374 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:377 msgid "" -"Whether peer's hostname must match with hostname in its certificate if HTTPS " -"protocol is used with the proxy provider." +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:369 -msgid "capath (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 +msgid "Default: loginDisabled" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:372 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:387 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:390 msgid "" -"Path to directory containing stored certificate authority certificates. " -"System default path is used if this option is not set." +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:382 -msgid "cacert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:401 +msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:385 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:404 msgid "" -"Path to file containing server's certificate authority certificate. If this " -"option is not set then the CA's certificate is looked up in <quote>capath</" -"quote>." +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:395 -msgid "cert (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:409 +msgid "Default: loginAllowedTimeMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:398 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:415 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:418 msgid "" -"Path to file containing client's certificate if required by the server. This " -"file may also contain private key or the private key may be in separate file " -"set with <quote>key</quote>." +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:409 -msgid "key (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:422 +msgid "Default: krbPrincipalName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:412 -msgid "Path to file containing client's private key." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:428 +msgid "ldap_user_extra_attrs (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:422 -msgid "USING THE REST API" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:431 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:424 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:436 msgid "" -"This section lists the available commands and includes examples using the " -"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " -"</citerefentry> utility. All requests towards the proxy provider must set " -"the Content Type header to <quote>application/json</quote>. In addition, the " -"local provider also supports Content Type set to <quote>application/octet-" -"stream</quote>. Secrets stored with requests that set the Content Type " -"header to <quote>application/octet-stream</quote> are base64-encoded when " -"stored and decoded when retrieved, so it's not possible to store a secret " -"with one Content Type and retrieve with another. The secret URI must begin " -"with <filename>/secrets/</filename>." +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:446 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:456 +msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:441 -msgid "Listing secrets" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:459 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:444 -msgid "" -"To list the available secrets, send a HTTP GET request with a trailing slash " -"appended to the container path." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:463 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:450 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:466 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/\n" -" " +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:458 -msgid "Retrieving a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:476 +msgid "ldap_user_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:461 -msgid "" -"To read a value of a single secret, send a HTTP GET request without a " -"trailing slash. The last portion of the URI is the name of the secret." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:479 +msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:468 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/foo\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:946 +msgid "Default: sshPublicKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:473 -#, no-wrap -msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XGET http://localhost/secrets/bar\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:489 +msgid "ldap_user_fullname (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:466 -msgid "" -"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:492 +msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:481 -msgid "Setting a secret" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:502 +msgid "ldap_user_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:484 -msgid "" -"To set a secret using the <quote>application/json</quote> type, send a HTTP " -"PUT request with a JSON payload that includes type and value. The type " -"should be set to \"simple\" and the value should be set to the secret value. " -"If a secret with that name already exists, the response is a 409 HTTP error." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:505 +msgid "The LDAP attribute that lists the user's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:492 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:933 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:515 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:518 msgid "" -"The <quote>application/json</quote> type just sends the secret as the " -"message payload." +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:501 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:525 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/foo \\\n" -" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" -" " +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:507 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:530 msgid "" -"curl -H \"Content-Type: application/octet-stream\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPUT http://localhost/secrets/bar \\\n" -" -d'barsecret'\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:496 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:537 msgid "" -"The following example sets a secret named 'foo' to a value of 'foosecret' " -"and a secret named 'bar' to a value of 'barsecret' using a different Content " -"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" -"\"programlisting\" id=\"1\"/>" +"Some distributions (such as Fedora-29+ or RHEL-8) always include the " +"<quote>systemd-user</quote> PAM service as part of the login process. " +"Therefore when using service-based access control, the <quote>systemd-user</" +"quote> service might need to be added to the list of allowed services." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:516 -msgid "Creating a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:545 +msgid "Default: authorizedService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:519 -msgid "" -"Containers provide an additional namespace for this user's secrets. To " -"create a container, send a HTTP POST request, whose URI ends with the " -"container name. Please note the URI must end with a trailing slash." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:551 +msgid "ldap_user_authorized_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:529 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:554 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XPOST http://localhost/secrets/mycontainer/\n" -" " +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:526 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:560 msgid "" -"The following example creates a container named 'mycontainer': <placeholder " -"type=\"programlisting\" id=\"0\"/>" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:538 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:565 msgid "" -"http://localhost/secrets/mycontainer/mysecret\n" -" " +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:535 -msgid "" -"To manipulate secrets under this container, just nest the secrets underneath " -"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:572 +msgid "Default: host" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-secrets.5.xml:544 -msgid "Deleting a secret or a container" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:578 +msgid "ldap_user_authorized_rhost (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:547 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:581 msgid "" -"To delete a secret or a container, send a HTTP DELETE request with a path to " -"the secret or the container." +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> -#: sssd-secrets.5.xml:553 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:588 msgid "" -"curl -H \"Content-Type: application/json\" \\\n" -" --unix-socket /var/run/secrets.socket \\\n" -" -XDELETE http://localhost/secrets/foo\n" -" " +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-secrets.5.xml:551 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:593 msgid "" -"The following example deletes a secret named 'foo'. <placeholder type=" -"\"programlisting\" id=\"0\"/>" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-secrets.5.xml:563 -msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:600 +msgid "Default: rhost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:565 -msgid "" -"For testing the proxy provider, you need to set up a Custodia server to " -"proxy requests to. Please always consult the Custodia documentation, the " -"configuration directives might change with different Custodia versions." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:606 +msgid "ldap_user_certificate (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-secrets.5.xml:576 -#, no-wrap -msgid "" -"[global]\n" -"server_version = \"Secret/0.0.7\"\n" -"server_url = http://localhost:8080/\n" -"auditlog = /var/log/custodia.log\n" -"debug = True\n" -"\n" -"[store:simple]\n" -"handler = custodia.store.sqlite.SqliteStore\n" -"dburi = /var/lib/custodia.db\n" -"table = secrets\n" -"\n" -"[auth:header]\n" -"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" -"header = MYSECRETNAME\n" -"value = mysecretkey\n" -"\n" -"[authz:paths]\n" -"handler = custodia.httpd.authorizers.SimplePathAuthz\n" -"paths = /secrets\n" -"\n" -"[/]\n" -"handler = custodia.root.Root\n" -"store = simple\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:609 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:613 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:619 +msgid "ldap_user_email (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:570 -msgid "" -"This configuration will set up a Custodia server listening on http://" -"localhost:8080, allowing anyone with header named MYSECRETNAME set to " -"mysecretkey to communicate with the Custodia server. Place the contents " -"into a file (for example, <replaceable>custodia.conf</replaceable>): " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:622 +msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:602 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:626 msgid "" -"Then run the <replaceable>custodia</replaceable> command, pointing it at the " -"config file as a command line argument." +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-secrets.5.xml:606 -msgid "" -"Please note that currently it's not possible to proxy all requests globally " -"to a Custodia instance. Instead, per-user subsections for user IDs that " -"should proxy requests to Custodia must be defined. The following example " -"illustrates a configuration, where the user with UID 123 would proxy their " -"requests to Custodia, but all other user's requests would be handled by a " -"local provider." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:635 +msgid "Default: mail" msgstr "" -#. type: Content of: <reference><refentry><refsect1><programlisting> -#: sssd-secrets.5.xml:614 -#, no-wrap -msgid "" -"[secrets]\n" -"\n" -"[secrets/users/123]\n" -"provider = proxy\n" -"proxy_url = http://localhost:8080/secrets/\n" -"auth_type = header\n" -"auth_header_name = MYSECRETNAME\n" -"auth_header_value = mysecretkey\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:644 +msgid "GROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 -msgid "sssd-session-recording" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:648 +msgid "ldap_group_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-session-recording.5.xml:17 -msgid "Configuring session recording with SSSD" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:651 +msgid "The object class of a group entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:23 -msgid "" -"This manual page describes how to configure <citerefentry> " -"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " -"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " -"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " -"implement user session recording on text terminals. For a detailed " -"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " -"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " -"<manvolnum>5</manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:654 +msgid "Default: posixGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:41 -msgid "" -"SSSD can be set up to enable recording of everything specific users see or " -"type during their sessions on text terminals. E.g. when users log in on the " -"console, or via SSH. SSSD itself doesn't record anything, but makes sure " -"tlog-rec-session is started upon user login, so it can record according to " -"its configuration." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:660 +msgid "ldap_group_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:48 -msgid "" -"For users with session recording enabled, SSSD replaces the user shell with " -"tlog-rec-session in NSS responses, and adds a variable specifying the " -"original shell to the user environment, upon PAM session setup. This way " -"tlog-rec-session can be started in place of the user shell, and know which " -"actual shell to start, once it set up the recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:663 +msgid "The LDAP attribute that corresponds to the group name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:60 -msgid "These options can be used to configure the session recording." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:667 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-session-recording.5.xml:146 -msgid "" -"The following snippet of sssd.conf enables session recording for users " -"\"contractor1\" and \"contractor2\", and group \"students\"." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:674 +msgid "ldap_group_gid_number (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-session-recording.5.xml:151 -#, no-wrap -msgid "" -"[session_recording]\n" -"scope = some\n" -"users = contractor1, contractor2\n" -"groups = students\n" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:677 +msgid "The LDAP attribute that corresponds to the group's id." msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 -msgid "sssd-kcm" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:687 +msgid "ldap_group_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-kcm.8.xml:17 -msgid "SSSD Kerberos Cache Manager" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:690 +msgid "The LDAP attribute that contains the names of the group's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:23 -msgid "" -"This manual page describes the configuration of the SSSD Kerberos Cache " -"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " -"credential caches. It originates in the Heimdal Kerberos project, although " -"the MIT Kerberos library also provides client side (more details on that " -"below) support for the KCM credential cache." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:694 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:31 -msgid "" -"In a setup where Kerberos caches are managed by KCM, the Kerberos library " -"(typically used through an application, like e.g., <citerefentry> " -"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" -"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " -"being referred to as a <quote>\"KCM server\"</quote>. The client and server " -"communicate over a UNIX socket." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:700 +msgid "ldap_group_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:42 -msgid "" -"The KCM server keeps track of each credential caches's owner and performs " -"access check control based on the UID and GID of the KCM client. The root " -"user has access to all credential caches." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:703 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:47 -msgid "The KCM credential cache has several interesting properties:" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:714 +msgid "ldap_group_objectsid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:51 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:717 msgid "" -"since the process runs in userspace, it is subject to UID namespacing, " -"unlike the kernel keyring" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:56 -msgid "" -"unlike the kernel keyring-based cache, which is shared between all " -"containers, the KCM server is a separate process whose entry point is a UNIX " -"socket" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:729 +msgid "ldap_group_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-kcm.8.xml:61 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:742 +msgid "ldap_group_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:745 msgid "" -"the SSSD implementation stores the ccaches in a database, typically located " -"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " -"survive KCM server restarts or machine reboots." +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:67 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:750 msgid "" -"This allows the system to use a collection-aware credential cache, yet share " -"the credential cache between some or no containers by bind-mounting the " -"socket." +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:74 -msgid "USING THE KCM CREDENTIAL CACHE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:756 +msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:84 -#, no-wrap -msgid "" -"[libdefaults]\n" -" default_ccache_name = KCM:\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:763 +msgid "ldap_group_external_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:76 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:766 msgid "" -"In order to use KCM credential cache, it must be selected as the default " -"credential type in <citerefentry> <refentrytitle>krb5.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " -"cache name must be only <quote>KCM:</quote> without any template " -"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:89 -msgid "" -"Next, make sure the Kerberos client libraries and the KCM server must agree " -"on the UNIX socket path. By default, both use the same path <replaceable>/" -"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " -"library, change its <quote>kcm_socket</quote> option which is described in " -"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" -"manvolnum> </citerefentry> manual page." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:772 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:111 -#, no-wrap -msgid "" -"systemctl start sssd-kcm.socket\n" -"systemctl enable sssd-kcm.socket\n" -" " +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:782 +msgid "NETGROUP ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:100 -msgid "" -"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " -"typically socket-activated by <citerefentry> <refentrytitle>systemd</" -"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " -"services, it cannot be started by adding the <quote>kcm</quote> string to " -"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " -"id=\"0\"/> Please note your distribution may already configure the units for " -"you." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:786 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:789 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:792 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:796 +msgid "Default: nisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:120 -msgid "THE CREDENTIAL CACHE STORAGE" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:802 +msgid "ldap_netgroup_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:122 -msgid "" -"The credential caches are stored in a database, much like SSSD caches user " -"or group entries. The database is typically located at <quote>/var/lib/sss/" -"secrets</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:805 +msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-kcm.8.xml:129 -msgid "OBTAINING DEBUG LOGS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:809 +msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:140 -#, no-wrap -msgid "" -"[kcm]\n" -"debug_level = 10\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:819 +msgid "ldap_netgroup_member (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><programlisting> -#: sssd-kcm.8.xml:145 sssd-kcm.8.xml:171 -#, no-wrap -msgid "" -"systemctl restart sssd-kcm.service\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:822 +msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:131 -msgid "" -"The sssd-kcm service is typically socket-activated <citerefentry> " -"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" -"citerefentry>. To generate debug logs, add the following either to the " -"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " -"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " -"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " -"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" -"case doesn't work for you. The KCM logs will be generated at <filename>/var/" -"log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " -"logs when you no longer need the debugging to be enabled as the sssd-kcm " -"service can generate quite a large amount of debugging information." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:826 +msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:155 -msgid "" -"Please note that configuration snippets are, at the moment, only processed " -"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " -"exists at all." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:830 +msgid "Default: memberNisNetgroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:164 -msgid "" -"The KCM service is configured in the <quote>kcm</quote> section of the sssd." -"conf file. Please note that because the KCM service is typically socket-" -"activated, it is enough to just restart the <quote>sssd-kcm</quote> service " -"after changing options in the <quote>kcm</quote> section of sssd.conf: " -"<placeholder type=\"programlisting\" id=\"0\"/>" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:836 +msgid "ldap_netgroup_triple (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:175 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:839 msgid "" -"The KCM service is configured in the <quote>kcm</quote> For a detailed " -"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " -"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page." +"The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:183 -msgid "" -"The generic SSSD service options such as <quote>debug_level</quote> or " -"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " -"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" -"manvolnum> </citerefentry> manual page for a complete list. In addition, " -"there are some KCM-specific options as well." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:843 sssd-ldap-attributes.5.xml:859 +msgid "This option is not available in IPA provider." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:194 -msgid "socket_path (string)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:846 +msgid "Default: nisNetgroupTriple" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:197 -msgid "The socket the KCM service will listen on." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:852 +msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:200 -msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:871 +msgid "HOST ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:205 -msgid "max_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:875 +msgid "ldap_host_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:208 -msgid "How many credential caches does the KCM database allow for all users." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:878 +msgid "The object class of a host entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:212 -msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:881 sssd-ldap-attributes.5.xml:978 +msgid "Default: ipService" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:217 -msgid "max_uid_ccaches (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:887 +msgid "ldap_host_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:220 -msgid "" -"How many credential caches does the KCM database allow per UID. This is " -"equivalent to <quote>with how many principals you can kinit</quote>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:916 +msgid "The LDAP attribute that corresponds to the host's name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:225 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 64" -msgstr "默认: 3" - -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-kcm.8.xml:230 -msgid "max_ccache_size (integer)" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:900 +msgid "ldap_host_fqdn (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:233 +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:903 msgid "" -"How big can a credential cache be per ccache. Each service ticket accounts " -"into this quota." +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-kcm.8.xml:237 -#, fuzzy -#| msgid "Default: 3" -msgid "Default: 65536" -msgstr "默认: 3" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:907 +msgid "Default: fqdn" +msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-kcm.8.xml:247 -msgid "" -"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" -"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:913 +msgid "ldap_host_serverhostname (string)" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refname> -#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 -msgid "sssd-systemtap" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:920 +msgid "Default: serverHostname" msgstr "" -#. type: Content of: <reference><refentry><refnamediv><refpurpose> -#: sssd-systemtap.5.xml:17 -msgid "SSSD systemtap information" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:926 +msgid "ldap_host_member_of (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:23 -msgid "" -"This manual page provides information about the systemtap functionality in " -"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " -"</citerefentry>." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:929 +msgid "The LDAP attribute that lists the host's group memberships." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para> -#: sssd-systemtap.5.xml:32 -msgid "" -"SystemTap Probe points have been added into various locations in SSSD code " -"to assist in troubleshooting and analyzing performance related issues." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:939 +msgid "ldap_host_ssh_public_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:40 -msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:942 +msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" -#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> -#: sssd-systemtap.5.xml:46 -msgid "" -"Probes and miscellaneous functions are defined in /usr/share/systemtap/" -"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " -"respectively." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:952 +msgid "ldap_host_uuid (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><title> -#: sssd-systemtap.5.xml:57 -msgid "PROBE POINTS" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:955 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para> -#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 -msgid "" -"The information below lists the probe points and arguments available in the " -"following format:" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:968 +#, fuzzy +#| msgid "SERVICES SECTIONS" +msgid "SERVICE ATTRIBUTES" +msgstr "服务部分" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:972 +msgid "ldap_service_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:64 -msgid "probe $name" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:975 +msgid "The object class of a service entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:67 -msgid "Description of probe point" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:984 +msgid "ldap_service_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:70 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:987 msgid "" -"variable1:datatype\n" -"variable2:datatype\n" -"variable3:datatype\n" -"...\n" -" " +"The LDAP attribute that contains the name of service attributes and their " +"aliases." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:80 -msgid "Database Transaction Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:997 +msgid "ldap_service_port (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:84 -msgid "probe sssd_transaction_start" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1000 +msgid "The LDAP attribute that contains the port managed by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:87 -msgid "" -"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1004 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1010 +msgid "ldap_service_proto (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 -#: sssd-systemtap.5.xml:131 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1013 msgid "" -"nesting:integer\n" -"probestr:string\n" -" " +"The LDAP attribute that contains the protocols understood by this service." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:97 -msgid "probe sssd_transaction_cancel" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1017 +msgid "Default: ipServiceProtocol" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:100 -msgid "" -"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " -"function." +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1026 +msgid "SUDO ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:111 -msgid "probe sssd_transaction_commit_before" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1030 +msgid "ldap_sudorule_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:114 -msgid "Probes the sysdb_transaction_commit_before() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1033 +msgid "The object class of a sudo rule entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:124 -msgid "probe sssd_transaction_commit_after" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1036 +msgid "Default: sudoRole" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:127 -msgid "Probes the sysdb_transaction_commit_after() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1042 +msgid "ldap_sudorule_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:141 -msgid "LDAP Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1045 +msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:145 -msgid "probe sdap_search_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1055 +msgid "ldap_sudorule_command (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:148 -msgid "Probes the sdap_get_generic_ext_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1058 +msgid "The LDAP attribute that corresponds to the command name." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 -#, no-wrap -msgid "" -"base:string\n" -"scope:integer\n" -"filter:string\n" -"probestr:string\n" -" " +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1062 +msgid "Default: sudoCommand" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:160 -msgid "probe sdap_search_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1068 +msgid "ldap_sudorule_host (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:163 -msgid "Probes the sdap_get_generic_ext_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1071 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:175 -msgid "probe sdap_deref_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1076 +msgid "Default: sudoHost" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:178 -msgid "Probes the sdap_deref_search_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1082 +msgid "ldap_sudorule_user (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:182 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1085 msgid "" -"base_dn:string\n" -"deref_attr:string\n" -"probestr:string\n" -" " +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:189 -msgid "probe sdap_deref_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1089 +msgid "Default: sudoUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:192 -msgid "Probes the sdap_deref_search_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1095 +msgid "ldap_sudorule_option (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:208 -msgid "LDAP Account Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1098 +msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:212 -msgid "probe sdap_acct_req_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1102 +msgid "Default: sudoOption" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:215 -msgid "Probes the sdap_acct_req_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1108 +msgid "ldap_sudorule_runasuser (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1111 msgid "" -"entry_type:int\n" -"filter_type:int\n" -"filter_value:string\n" -"extra_value:string\n" -" " +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:227 -msgid "probe sdap_acct_req_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1115 +msgid "Default: sudoRunAsUser" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:230 -msgid "Probes the sdap_acct_req_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1121 +msgid "ldap_sudorule_runasgroup (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:246 -msgid "LDAP User Search Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1124 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:250 -msgid "probe sdap_search_user_send" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1128 +msgid "Default: sudoRunAsGroup" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:253 -msgid "Probes the sdap_search_user_send() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1134 +msgid "ldap_sudorule_notbefore (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 -#: sssd-systemtap.5.xml:293 -#, no-wrap +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1137 msgid "" -"filter:string\n" -" " +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:262 -msgid "probe sdap_search_user_recv" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1141 +msgid "Default: sudoNotBefore" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:265 -msgid "Probes the sdap_search_user_recv() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1147 +msgid "ldap_sudorule_notafter (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:274 -msgid "probe sdap_search_user_save_begin" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1150 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:277 -msgid "Probes the sdap_search_user_save_begin() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1155 +msgid "Default: sudoNotAfter" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:286 -msgid "probe sdap_search_user_save_end" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap-attributes.5.xml:1161 +msgid "ldap_sudorule_order (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:289 -msgid "Probes the sdap_search_user_save_end() function." +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1164 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:302 -msgid "Data Provider Request Probes" +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap-attributes.5.xml:1168 +msgid "Default: sudoOrder" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:306 -msgid "probe dp_req_send" +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap-attributes.5.xml:1177 +msgid "AUTOFS ATTRIBUTES" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:309 -msgid "A Data Provider request is submitted." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:3 +msgid "ldap_autofs_map_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:312 -#, no-wrap -msgid "" -"dp_req_domain:string\n" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:6 +msgid "The object class of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:320 -msgid "probe dp_req_done" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:9 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:323 -msgid "A Data Provider request is completed." +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:16 +msgid "ldap_autofs_map_name (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> -#: sssd-systemtap.5.xml:326 -#, no-wrap -msgid "" -"dp_req_name:string\n" -"dp_req_target:int\n" -"dp_req_method:int\n" -"dp_ret:int\n" -"dp_errorstr:string\n" -" " +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:19 +msgid "The name of an automount map entry in LDAP." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><title> -#: sssd-systemtap.5.xml:339 -msgid "MISCELLANEOUS FUNCTIONS" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:22 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:346 -msgid "function acct_req_desc(entry_type)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:29 +msgid "ldap_autofs_entry_object_class (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:349 -msgid "Convert entry_type to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:32 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:354 -msgid "" -"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " -"filter_value, extra_value)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:37 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:358 -msgid "Create probe string based on filter type" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:44 +msgid "ldap_autofs_entry_key (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:363 -msgid "function dp_target_str(target)" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:366 -msgid "Convert target to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:51 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> -#: sssd-systemtap.5.xml:371 -msgid "function dp_method_str(target)" +#. type: Content of: <variablelist><varlistentry><term> +#: include/autofs_attributes.xml:58 +msgid "ldap_autofs_entry_value (string)" msgstr "" -#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> -#: sssd-systemtap.5.xml:374 -msgid "Convert method to string and return string" +#. type: Content of: <variablelist><varlistentry><listitem><para> +#: include/autofs_attributes.xml:65 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" msgstr "" #. type: Content of: <refsect1><title>